Sunday, September 09, 2012

A total war, the 21st century edition.

A white paper from Symantec (h/t CNet) details an ongoing large-scale e-spionage effort they call "The Elderwood Project." The company researchers believe that the same group, which (successfully) attacked Google through its China offices in 2009, is behind the current attacks,
The scale of the attacks, in terms of the number of victims and the duration of the attacks, are another indication of the resources available to the attackers. Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property. The resources required to identify and acquire useful information—let alone analyze that information—could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself.


The report describes a specific technique they call "watering hole," when the attacker infects a target site and waits, as if in an ambush, until target users access the site.


...the number of watering hole attacks have been on the increase. The attacks begin with an attacker locating a vulnerability on a chosen website. This vulnerability allows the attacker to insert some JavaScript, or HTML, into the website. That piece of code contains a link, or iFrame, which points to another Web page that actually hosts exploit code for the chosen vulnerability. When a user connects to the hacked website, they are automatically referred to the malicious Web page which exploits a vulnerability allowing the attacker to install malware onto the victim’s computer. Once the iFrame and malicious code are in place on the server, the attacker does not need to do anything but simply wait for victims to browse to the website, or visit the watering hole, and become infected.
Web injection attacks are not new and are commonly used in cybercrime. The difference between their use in cybercrime and in watering hole attacks is down to the choice of websites to compromise and use in the attacks. In a mass injection attack, criminals will indiscriminately compromise any website they can, but in watering hole attacks, the attackers are focused. They choose websites within a particular sector so as to infect persons of interest who likely work in that same sector and are likely to therefore visit related websites. Targeting a specific website is much more difficult than merely locating websites that contain a vulnerability. The attacker has to research and probe for a weakness on the chosen website.
Keeping a state or a trade secret seems to be an increasingly difficult task.

tags: security, internet, control, web

No comments: