Brian Krebs as usually did some great research in his most recent post looking into so called “watering hole” attacks. Instead of attacking directly with PDF attachments or links to zip files, the perpetrators simply compromise a site that their targeted individuals are most likely to visit. Then the bad guys infect their systems through some type of browser drive-by attack.
Anyway back to Brian’s interesting discovery… Although redacted in the original July RSA FirstWatch report, some of the data led Brain to successfully enumerating the source watering hole. In this case the perpetrators compromised a “curling” website to hold malware and infect visitors using a drive-by attack. And amazingly this “curling” site pulled an IEEE and Brian was able to find Google cached versions of their web server logs. In analyzing these logs, Brian discovered the initial target sites through referrer references. And for those that are interested, those access logs are still cached online as linked in Brian’s article. The attackers compromised these initial target sites and simply added a redirect to the “curling” site via an iframe.
The initial target website profiles included those associated with political activism, the Defense Industrial Base, metro Boston (financial services), and metro DC (government and education). One of the interesting affected sites that Brian pointed out was one for Prince Georges County’s government. But beyond that several of these groupings affect many in the metro DC community in one way or another.
The rest of the article goes on to explain the results of the RSA analysis, including exploits used, number of effected targets, and some insight from a related Symantec report (i.e., Elderwood). But this is a little beyond the more technically interesting content involving the deduction of the curling site, finding the cached webserver logs, and enumerating the initial target sites. Nice find!
Today’s post pic is from KrebsOnSecurity.com. See ya!