While spear phishing remains the most popular targeted attack technique, a new report indicates that harder-to-detect watering hole attacks are on the rise.
In its first annual "Global Threat Report," Irvine, Calif.-based CrowdStrike, a security vendor focused on threat intelligence, detailed the attack methods and motivations of several attack groups from China, Russia and elsewhere based on incidents that took place in 2013. The company found the long-popular spear phishing technique to be the most popular tactic for targeted attacks, but warned that watering hole attacks are rising in popularity and could cause even more damage in 2014.
Referred to as "strategic Web compromise" (SWC) by CrowdStrike, watering hole attacks occur when malicious actors are able to infect a legitimate website with malware for the explicit purpose of targeting the visitors of that site. Though simple in concept, watering hole attacks fell several high-profile organizations last year, thanks to attackers' refinements.
One of the most well-known watering hole attacks in 2013 targeted the U.S. Department of Labor's Site Exposure Matrices website, which provides data on toxic substances at facilities run by the Department of Energy. CrowdStrike believes the actors behind the Department of Labor (DoL) website hack were ultimately interested in compromising individuals working in the government and energy sectors.
Watering hole attacks have advantages over spear phishing, according to CrowdStrike, such as the ability to bypass email filtering security technologies and lower operational risk for the criminals. Most of all, watering hole attacks are difficult to spot.
"As security awareness increases, potential victims are becoming attuned to look for spear phishing emails, and if they recognize them, they can thwart attackers at the outset," noted the report. "That is not the case with SWC operations because, unless targets have technical countermeasures in place to detect the SWC or prevent exploitation, there is no visible sign that malicious activity is occurring."
Watering hole attacks blend in so well, in fact, that even employees of tech giant Apple Inc. fell victim to one that targeted iPhone Dev SDK, a popular iOS mobile developers' forum. Adam Meyers, vice president of intelligence for CrowdStrike and co-author of the report, found the Apple incident particularly devastating because of the lack of security software available for Apple devices.
Still, there are some general methods that organizations can use to spot a watering hole attack before they're victimized, he noted, mainly by focusing on the network layer and writing rules for intrusion detection systems and other security products for heap-spraying attacks and the different methods used to deploy watering holes.
"And then, of course, the other thing that was leveraged by a lot of the strategic Web compromisers was Java," Meyers said. "I think people have been moving away from around Java on their Internet-facing zones. Limiting Java immediately lowers the exposure [to watering hole attacks]."
SEA shows spear phishing still a force
Watering hole attacks may be on the rise, but Meyers emphasized that spear phishing remains a dangerous threat. He pointed to the activities of the Syrian Electronic Army (SEA), referred to as DEADEYE JACKAL in the report, as an example of the effectiveness of such attacks.
Launched in 2011 at the outbreak of the Syrian civil war, the SEA originally focused on defacing the websites of news organizations such as the BBC and The New York Times that reported negatively on the Syrian government. Throughout 2013, the SEA attempted to further control the message around the Syrian government by utilizing social engineering tactics to compromise news organizations' Twitter accounts, including that of The Associated Press. The report notes that the group engaged in a spear-phishing campaign toward the end of last year that was aimed at collecting credentials from U.S.-based media outlets.
The most notable evolution in the SEA's tactics came in July of 2013, when the group successfully compromised three well-known communications applications: Truecaller, TangoME and Viber. At least in the case of TangoME, the attackers may have gained entry by spear phishing the company's employees. CrowdStrike believes the applications were targeted based on their user bases.
"Those [attacks] were geared toward gaining access to communications platforms that were being used by the rebels or dissidents, depending on how you want to categorize them," he said.
Meyers underscored that organizations and users must be on the lookout for spear-phishing campaigns related to big events in 2014, including the Winter Olympics in Sochi, the World Cup in Brazil and the G20 Summit in Australia. CrowdStrike outlined the activities of an attack group referred to as NUMBERED PANDA in its report, which utilized the 2013 G20 Summit as a topic in its spear-phishing campaign that spread the ShowNews malware.
"The 2014 events will draw attention from the same targeted sectors. G20-themed spear-phishing campaigns can be expected, and it is possible that SWC operations could be staged on the websites of G20-related organizations," warns the report. "Entities in the financial, government and NGO/international relations sectors should remain alert for possible targeted activity in the weeks leading up to this event."
Other emerging attack trends
The report highlights a number of other attack trends that enterprises and security professionals might face in 2014. For one, Meyers pointed to the increasing use of sandbox-aware malware, which is designed to counter the use of virtual machines (VMs) to detect and neutralize malware.
Meyers said he discovered one particularly devious sandbox-aware malware sample that would detect whether the malicious code was being run within a VM, which would typically mean that such malware would just choose not to run. In this case though, Meyers said that the malware actually carried multiple malicious payloads, but one that would be considered "stupid" by malware researchers because it would clearly be picked up by a firewall; the real malicious payload would only execute if the malware failed to detect a VM.
Meyers also circled the looming Windows XP end-of-life date as a likely source of security issues over the coming year. On April 8, 2014, the Windows XP operating system will no longer receive security patches or support from Microsoft, leaving those enterprises and users still running the legacy OS at the mercy of cybercriminals.
Speculation has mounted that attackers are stashing away vulnerabilities to use after the end-of-life date passes, and Meyers noted that CrowdStrike has seen indications that corroborate that claim.
"I was in a restaurant and was looking at the point-of-sale system, and that was Windows XP. And you look at some ATMs and some of the things that are in airports and other critical systems that you use every day, and you start noticing that they're running XP on a lot of that stuff," Meyers commented. "An exploit in Windows XP in 2014 will likely have pretty devastating effects because there's not going to be any patches for it."
Regardless of the techniques attackers decide to employ in 2014, Meyers made it clear that cybercriminals, nation-state hackers and hacktivists will all be looking to build on the success of 2013.
"We tracked 50 different adversaries … and I think that they're seeing the effectiveness of these campaigns; they're seeing how easy and how powerful they are, so I think we're going to see more and more proliferation of that," Meyers said. "We're seeing more actors get into the game this year. We saw a lot of new actors we hadn't previously seen, and I think we're going to continue to see more and more of those develop."