Trouble At The Watering Hole
The one thing that we have going for us is that http is a pull technology. Unlike vulnerabilities that target services running on a machine (like MSRPC), browser based vulnerabilities require some form of user interaction. The user must activate the malicious content by accessing a malicious server or attempting to render the content locally (like opening an email attachment.) This means that an attacker must trick the user into accessing their poisoned content. The solution to that problem has primarily been social engineering. Attackers have basically used variations of a bait-and-switch approach. They commonly used the allure of illicit content (pirated software, free porn) to draw users from search engines, or sent out phishing emails/posts offering things like get rich quick schemes, political leaning content, or generic “You have to see this!” tags.
These techniques worked for awhile, but are now seeing diminishing returns. Search engines are aggressively flagging or removing malicious sites from their results. Many browsers have started including the option to open windows with more secure settings for visiting sites that the user has concern about. And, most importantly, digital Darwinism has started to provide us some herd immunity to email based phishing attacks. There are people who still blindly click on links in email, but a combination of education and direct experience of compromise makes this pool smaller every day. Not only is the efficacy of these bait-and-switch tactics in decline- the tactics require the malicious site to advertise in a way that gets it quickly discovered. This greatly limits how long the site has to attack users until it is blacklisted. While attackers have had some renewed success by migrating these tactics from email to social media, their need to advertise still means that they have a limited time until they are discovered.
If you can’t lure your prey out into the open, you have to stalk them. One way of doing that is spear phishing. This tactic is a bait-and-switch just like phishing, but it has a much smaller release and is targeted to a specific organization or group of people. It can take the form of an official looking email from your bank, a notice appearing to come from your IT department, or a request from a company you actually do business with. The targeted nature and limited distribution of these attacks make them much more likely to succeed than normal phishing attacks, but they still suffer from the same issues. Users are becoming better at detecting the attempts, and it only takes one suspicious recipient to escalate the email to a security professional or out it in a blog. Once disclosed, the server will get blacklisted and the code will be fingerprinted.
In 2009, Symantec discovered a new tactic being used by a group they call Elderwood (based on a variable name in some of their malware samples.) Rather than setting up a trap and attempting to lure users in with bait, the group compromised legitimate sites that their intended targets were likely to visit. Mimicking the action of a predator waiting in ambush at a water source for prey to come get a drink, this kind of attack has been dubbed a “watering hole attack.” The attacks attributed to Elderwood have been targeted and sophisticated- using unknown (0day) exploits. This was essentially the next evolution of a spear phishing attack- using specific information about the targets to increase the probability of a compromise. Instead of crafting an email that would look valid to the user, they figured out what sites their targets visited and tried to compromise as many of those sites as they could. The content was still hosted on a malicious server, but the “legitimate” servers would be altered to direct the users to the malicious content without the user’s knowledge.
The recent attack on the Council on Foreign Relations (CFR) follows this pattern and has been attributed by Symantec to the Elderwood gang. The CFR website was compromised and used to infect computers using specific languages (English, Chinese, Japanese, Korean or Russian) via a 0day Internet Explorer vulnerability. The political nature of CFR along with the use of a 0day exploit suggest that this was a sophisticated attack directed at a specific group of people- likely by a governmental or political organization. This has been typical for most of the watering hole attacks, but that is starting to change. The Thompson machine gun (Tommy Gun) was invented for use by the US military, but it was the weapon of choice for organized crime by the prohibition era.
The Elderwood crew pointed the way to the watering hole, and criminal attackers are following. A new apache module that basically functions as a “watering hole attack in a can” has been discovered in the wild. Called Darkleech or Linux/Chapro.a, this module allows an attacker to link back to his malware of choice and goes to great lengths to avoid detection. It avoids attacking people who may administer the site by noting the addresses of machines that access admin tools or SSH to the webserver. It also tracks the machines that it has infected so that it won’t try to infect them again (an attempt to avoid malware analysts.)
So far, the malware used by these compromised websites is a variation of Zeus (a Trojan horse designed to steal banking information.) That’s good news since this variation of Zeus can be detected by AV. The use of known malware as opposed to a 0day exploit makes this a less sophisticated attack then the CFR compromise, but the weaponization of the watering hole attack is a very disturbing development. If a module like this were to be coupled with an unknown malware, it would be extremely difficult to identify and trace back the compromise. This particular module will probably be detected by vigilant Linux administrators and vulnerability scanners in the near future since it has been discovered and analyzed, but it marks the beginning of a new chapter in the internet security arms race.Tweet