Thought leadership. threat analysis, news and alerts.
What Are Watering Hole Attacks & How to Prevent Such Attacks
Watering hole attacks are becoming more and more popular as these allow malicious actors to compromise intermediary targets to gain access to their intended final targets.
What Is Watering Hole Attack and How It Works
In a watering hole attack, a malicious actor compromises a third-party service, such as a publicly available website, in order to get access to the intended final target. There are various reasons why threat actors attack third-party services instead of the intended final targets. It could be that the intended final targets have stronger cyber defences, while third-party services lack the necessary cyber defences.
In watering hole attacks, threat actors study the employees of the intended final targets, such as finding out what sites these employees often visit. These sites are then analysed.
Sites with weak defences are often targeted, injecting these sites with malicious software (malware) or redirecting visitors to sites controlled by the attackers, leading to the downloading of the malware when these employees visit these sites. Attackers may also nudge an employee into visiting the compromised website or the URL they control by tricking the employee to click on the malicious link contained in a phishing email.
Once inside an employee’s device, threat actors then move toward the intended final target.
Examples of Watering Hole Attacks
The recent disclosure by researchers at Google's Threat Analysis Groupabout a small collection of compromised websites used in watering hole attacks which ultimately targets site visitors using certain versions of iPhones highlights the growing danger of watering hole attacks.
Researchers at Google's Threat Analysis Group revealed that over a period of at least two years, almost every version of iOS 10 through iOS 12 was potentially vulnerable when users visit a small collection of compromised websites. Simply visiting the compromised site, the researchers said, was enough for the exploit server to attack the vulnerable iPhones and install a malicious code that monitors the users’ activities.
The researchers estimated that the compromised sites receive thousands of visitors each week. In attacking the specific versions of iPhones, researchers at Google's Threat Analysis Group said, they identified a total of 14 security vulnerabilities: 7 for the iPhone’s web browser, 5 for the kernel and 2 separate sandbox escapes.
Other Cases of Legitimate Sites Used for Watering Hole Attacks
In late February and early March this year, reports came out that the website of International Civil Aviation Organization (ICAO) was used as an intermediary target for a watering hole attack where the intended final targets were ICAO members. Montreal, Canada-based ICAO is a specialized agency of the United Nations that codifies the principles and techniques of international air navigation.
In November 2018, researchers at ESETreported that 21 distinct websites in Vietnam and Cambodia, including Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper websites, were used as intermediary targets in watering hole attacks.
According to the researchers, the modus operandi is similar on all compromised websites in which the attackers add a small piece of malicious code on the compromised websites. While not applicable in all cases, the researchers reported that the code injected into the compromised websites checks for the visitor’s location, and only visitors from Vietnam and Cambodia actually receive the malware. The researchers added that the server controlled by the attackers can send additional payload – referring to the malware that performs the actual malicious actions.
Researchers at ESET said they weren’t able to identify examples of payloads sent by the attackers as these payloads were only delivered to specific targets and it wasn’t possible to get them using a test machine. In November 2017, researchers at Volexityfound a similar set of compromised websites of individuals and organizations tied to the government, the media, human rights and civil society groups. The researchers, in these cases, found that the payloads downloaded unto the site visitor’s computer include a pop-up asking to approve OAuth access to the victim’s Google account. This tactic allows attackers to get access to the victim’s contacts and emails.
The recent watering hole attacks are reminiscent of the cyber-espionage campaign called “Epic Turla”. In August 2014, Kaspersky observed 100 compromised websites for watering hole attacks.
Once a computer is infected with the Epic malware, Kaspersky reported that the malware immediately connects to the command-and-control (C&C) server to deliver pre-configured series of commands for execution and custom lateral movement tools such as a keylogger – a malicious program aimed at stealing data by recording every keystroke made by a computer user.
Prevention and Mitigating Measures
Here are some cyber security measures in order to prevent or mitigate the effects of watering hole attacks:
NASA’s Jet Propulsion Laboratory (JPL) Hacked for 10 Months
The Office of Inspector General of the National Aeronautics and Space Administration (NASA) recently revealed that the Jet Propulsion Laboratory (JPL), the center of NASA’s interplanetary robotic research efforts, was hacked for 10 months.
According to NASA's Office of Inspector General, JPL, being the center of NASA’s interplanetary robotic research efforts, maintains wide public internet-facing IT systems that support missions and networks that control spacecraft, collect and process scientific data and perform critical operational functions. Despite efforts to protect these public internet-facing IT systems, NASA's Office of Inspector General said that critical vulnerabilities remained, resulting in a cyber-attack on JPL’s network which started in April 2018.
This April 2018 attack, NASA's Office of Inspector General said, remained undetected for 10 months resulting in the exfiltration of approximately 500 megabytes of data from 23 files, 2 of which contained “International Traffic in Arms Regulations information related to the Mars Science Laboratory mission”.
How JPL’s Network Was Hacked and Lessons Learned
The April 2018 attack on JPL’s network, NASA's Office of Inspector General found, started when an unauthorized Raspberry Pi connected to its network. Raspberry Pi is a credit card-sized computer that’s capable of doing everything a desktop computer can do, from browsing the internet to playing games. The audit report showed that the malicious Raspberry Pi found its way into JPL’s network through the following series of events:
1. Incomplete and Inaccurate System Component Inventory
The report of NASA's Office of Inspector General showed that the malicious Raspberry Pi found its way into JPL’s network as JPL had incomplete and inaccurate information about the types and location of NASA system components and assets connected to its network.
One of the cybersecurity best practices, in order to prevent authorized intrusions into a network, is by having a complete and accurate inventory of all devices connected to this network. This inventory is essential in effectively monitoring, reporting and responding to cybersecurity incidents. Benefits of proper inventory of assets on the network include vetting and clearing by security officials of assets prior to connecting to the network, timely patches and tracking of valuable assets and data stored on these assets.
2. Inadequate Segmentation of Network Environment Shared with External Partners
Due to the nature of JPL’s work, its partners, including foreign space agencies, contractors and educational institutions are allowed remote access to its network for specific missions and data. Network segmentation creates barriers that attackers can’t cross as these barriers eliminate connections to other systems.
According to NASA's Office of Inspector General, the April 2018 cyber-attack exploited the lack of segmentation of JPL’s network, enabling the attacker to move between various systems connected to the network. In May 2018, NASA's Office of Inspector General said, IT security officials at the Johnson Space Center (Johnson), which handles programs such as the Orion Multi-Purpose Crew Vehicle and International Space Station, decided to temporarily disconnect from the JPL’s network due to security concerns. “Johnson officials were concerned the cyber-attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” NASA's Office of Inspector General said.
3. Untimely Patch Application
Patches, also known as security updates, fix known security vulnerabilities. Attackers often exploit known security vulnerabilities with available patches, believing that certain population delays the application of these patches for days, and some even for months or years.
According to NASA's Office of Inspector General, JPL didn’t apply the patch that fixes a known software vulnerability first identified in 2017, with a critical score of 10. A security vulnerability with a critical score of 10 means that this vulnerability is at the top of the vulnerability chain. This 2017 security vulnerability, the NASA's Office of Inspector General said, was only patched in March 2019 and during the April 2018 cyber-attack, one of the JPL’s four compromised systems hadn’t been patched for the said vulnerability in a timely manner, resulting in the exfiltration of 23 files containing approximately 500 megabytes of data.
4. Delayed Response to the Attack
After detection of a cyber-attack, the next logical steps are containment and eradication. Containment strategies include performing a system shutdown, disconnecting a system from the network and identifying all attack paths. Eradication strategies, meanwhile, include assessment and analysis of exploited vulnerabilities, removal of malware and affected files, and application of security patches. “Most of these steps [containment and eradication] require sophisticated forensic expertise and tools that when not available in-house should be in place through service agreements with specialized providers,” NASA's Office of Inspector General said.
Although JPL had disabled the account targeted by the adversary and closed off the known path of attack, NASA's Office of Inspector General said the NASA Security Operations Center requested an independent assessment from the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) to determine the extent of the attack and totally remove the adversary from JPL’s network. NASA's Office of Inspector General added that as JPL was unfamiliar with DHS’s standard engagement procedures, DHS was only able to perform scans of the entire JPL’s network 4 months after the cyber-attack was detected.
“Once DHS performed the scans, it determined there were no other attack paths and deemed the network clean; however, the delay in executing the eradication steps left NASA data and systems vulnerable to potential additional harm,” NASA's Office of Inspector General noted.
Your business may suffer the same fate if left unprotected. More importantly, to truly understand the state of your cyber defences, you must perform an IT security audit.
Call us todayand find out if your business is well protected.
Malicious Email Campaigns Geo-Targets Canadian Organizations, Report Says
Canadian organizations are increasingly becoming the targets of cyber-attackers as shown in the recent discovery of nearly 100 malicious email campaigns specifically targeting organizations based in Canada.
In the report "Beyond 'North America' - Threat actors target Canada specifically" researchers at Proofpoint reported that between the period of January 1, 2019 to May 1, 2019, threat actors conducted nearly 100 malicious email campaigns specifically targeting Canadian organizations or were customized for Canadian audiences.
Malicious Email Campaigns
Malicious email campaign, also known as phishing scam, is a type of cyber-attack that uses emails as a weapon. Phishing emails contain malicious attachments or malicious links.
Downloading this malicious attachment or clicking this malicious link could lead to compromise. Victims are tricked into opening the malicious email and downloading this malicious attachment or clicking this malicious link as threat actors use branding familiar to the recipients.
In the recent malicious email campaigns detected by Proofpoint researchers, the top affected organizations in Canada include financial services, energy/utilities, manufacturing, healthcare and technology. The researchers also observed that some of the malicious emails sent were customized for the French-speaking recipients in Canada.
In the nearly 100 malicious email campaigns specifically targeting Canadian organizations, Proofpoint researchers also observed that the threat actors tricked the victims into opening the malicious email or downloading the malicious attachment or clicking the malicious link by stealing the branding of several notable Canadian companies and agencies including national banks, major shipping and logistics organizations and government agencies.
“Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada …,” Proofpoint researchers said.
The first version of the malicious software (malware) Emotet, which was first observed in 2014 targeting German and Austrian victims, functioned as a banking trojan – a type of malware designed to steal financial data.
Since then, Emotet has evolved into a powerful malware, with its ability to continuously evolve and update its capabilities for various online criminal activities from information stealing to distributed denial-of-service (DDoS) attacks. In recent years, instead of delivering its own banking trojan, Emotet has delivered third-party banking trojans such as Qbot, The Trick, IcedID and Gootkit.
In 2018, the United States Computer Emergency Readiness Team (US-CERT)issued an alert, warning about the dangers of Emotet. "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” US-CERT said. “Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
One of the reasons why Emotet continues to be among the most costly and destructive malware is its worm-like capability, that is, the ability to spread from computer to computer without any human action.
Emotet has been known to spread from computer to computer without any human interaction by accessing Server Message Block (SMB), an internet standard protocol that Windows uses to share files, printers and serial ports. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US-CERT said.
Emotet is also capable of spreading its own phishing email without human interaction through the use of Outlook scraper, a tool that’s used to scrape names and email addresses from the victim’s Outlook accounts and uses this names and email addresses to send out additional phishing emails from the compromised accounts.
According to Proofpoint researchers, the threat actor called “TA542” is the primary actor behind Emotet. Proofpoint researchers said that this threat actor is known to use the latest version of Emotet and develops malicious emails specific to given regions in the world.
"TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries,” Proofpoint researchers said. “TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters.”
Even as Emotet has evolved in terms of capabilities, one thing remains constant with this malware: delivery is always via malicious email. As the delivery is always via malicious email, it’s important to protect your organization’s email system from this threat through the following mitigating measures:
Here are additional cyber-security measures in order to block or mitigate the effects of Emotet:
Timely identification and mitigation of IT risks can save your business from suffering costly consequences. Call us todayand we will show you how to better protectyour staff and your sensitive information against targeted attacks.
Cyber Espionage Group Targets Critical Infrastructure Using Old Hacking Tactics
Cyberattacks against critical infrastructure – energy, nuclear, water, aviation and critical manufacturing sectors – in the US have been going on since May 2017, the US Computer Emergency Readiness Team (US-CERT) said in a rare technical alert notice.
Symantec, on the other hand, reported that cyberattacks against the energy infrastructure in some European countries and in the US have been underway since December 2015. Cisco researchers, meanwhile, reported that since at least May 2017, they have observed attackers targeting critical infrastructure and energy companies around the world, in particular, Europe and the US.
While US-CERT and Cisco didn’t name a particular group responsible for the ongoing cyberattacks against critical infrastructure, Symantec identifies the threat actors collectively known as “Dragonfly” as the group behind the cyberattacks against the energy sector. Symantec researchers said the group has been in operation since at least 2011.
Symantec dubbed Dragonfly’s latest campaign against the energy sector as “Dragonfly 2.0”, a campaign that started in late 2015 the most notable cyberattack of which was the attack against Ukraine’s power system in 2015 and 2016, resulting in power outages affecting hundreds of thousands of residents.
The US-CERT technical alert – the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), and the reports from Symantec and Cisco showed that old hacking tactics have been employed by the threat group.
Methods of Cyber Attacks
1. Malicious Emails
According to US-CERT, the threat group used malicious emails or phishing emails with the subject line such as “AGREEMENT & Confidential”. The group also used malicious Microsoft Word attachments that appear to be legitimate invitations, policy documents or curricula vitae for industrial control systems personnel to lure users to open the attachment, US-CERT said.
According to Symantec, one example of the malicious email campaign used by the threat group were emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.
Cisco researchers identified an email-based attack called "Phishery", targeting the energy sector, including nuclear power. Phishery became publicly available on GitHub in late 2016
“Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code,” Cisco researchers said. “In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer.”
2. Watering Holes
According to US-CERT and Symantec, the cyber espionage group used "watering holes" – websites that have legitimate content by reputable organizations but are altered by the threat group to have malicious content. Almost half of the known watering holes, the US Computer Emergency Readiness Team said, are reputable websites that offer information to those in the critical infrastructure sector.
“As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector,” Symantec said.
3. Social Engineering
These stolen network credentials, according to Symantec, were then used for follow-up attacks on the target critical infrastructure organization itself by delivering trojanized software – malicious software that’s disguised as legitimate software.
One of the trojans used by Dragonfly group is Karagany.B – malicious software that infiltrates computer systems of target organizations by masquerading as Flash updates. The group here used the old hacking tactic of social engineering – convincing victims they need to download software, in this case, an update for their Flash player.
The trojan Karagany.B enables attackers remote access to the victims’ computer systems and allows them to install additional malicious tools if needed. Another trojan used by the group, according to Symantec, is the trojan Heriplor – malicious software that also enables attackers remote access to the victims’ computer systems.
“Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly, and is one of the strongest indications that the group that targeted the western energy sector between 2011 and 2014 is the same group that is behind the more recent attacks,” Symantec said. “This custom malware is not available on the black market, and has not been observed being used by any other known attack groups.”
Symantec noted that Dragonfly’s origins cannot definitively be determined. While some of Dragonfly’s malware codes were written in Russian and French, Symantec noted, this could be a way to mislead people.
How to Prevent Dragonfly Attacks
To prevent Dragonfly attacks, the US-CERT recommends the following:
Steve E. Driz, I.S.P., ITCP