The Elderwood Project: “Watering Hole” Attacks (Symantec)

Zebras are the target; ...

Zebras are the target; …

In 2009, there was the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. Symantec has been monitoring the attacking group’s activities for the last three years as they’ve consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure Symantec termed the “Elderwood Platform”. The term “Elderwood” comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but now there is an increased adoption of “watering hole” attacks (compromising certain websites likely to be visited by the target organization).

The “watering hole” attack is a clear shift in the attacking group’s method of operations. The concept of the attack is similar to a predator waiting at a watering hole. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer.

Symantec published a research paper that details the links between various exploits used by this attacking group, their method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing evolution and sheer resilience of entities behind targeted attacks.

Source: Symantec: The Elderwood Project (“Watering Hole” Attacks)

Read more …

Council on Foreign Relations Website Hit by Watering Hole Attack, IE Zero-Day Exploit, Dec 29, 2012

Security company FireEye reported Friday night that the CFR website had been compromised as early as Dec. 21 and was still hosting malware last Wednesday, the day after Christmas. Researchers there said the attackers were exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser.

“We can confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability,” wrote FireEye’s Darien Kindlund on the company’s blog. “We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.”

Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing said in an email to Threatpost the zero day is in IE 6-8 and that the impact is limited.

“We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted,” said Childs.

A further look into the exploit reveals that JavaScript hosting the exploit only triggers against browsers set to English, Chinese (China and Taiwan), Japanese, Korean and Russian. The exploit also uses cookies to deliver the attack once per user; it also tracks when the infected page was last visited via cookies, Kindlund said.

“Once those initial checks passed, the JavaScript proceeded to load a Flash file today.swf which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint,” Kindlund said.

Aurora gang steps up attacks, with ‘seemingly unlimited’ zero-day exploits

The head of the NSA’s Information Assurance Directorate, said, “we’re starting to see nation-state resources and expertise employed in what we would characterize as reckless and disruptive, destructive behaviors,” Reuters reported.

Even adversaries during the Cold War, who were always trying to spy on or disrupt each other, operated within boundaries, she said. “Some of today’s national cyber actors don’t seem to be bound by any sense of restraint,” she said.

Meanwhile, Symantec issued a report saying that Aurora, the group behind those attacks, which the company has dubbed the Elderwood gang because of some of the source code they used, has consistently targeted defense-related and other industries with “seemingly an unlimited number of zero-day exploits.”

Although Symantec’s report and Plunkett’s talk were not related, they both underscore the growth in international cyber activity.