Watering Hole Site Pulls an IEEE

Brian Krebs as usually did some great research in his most recent post looking into so called “watering hole” attacks. Instead of attacking directly with PDF attachments or links to zip files, the perpetrators simply compromise a site that their targeted individuals are most likely to visit. Then the bad guys infect their systems through some type of browser drive-by attack.

Pretty sneaky if you ask me. I’ve always been wary of going to some infosec sites for fear that the bad guys have compromised it with the goal of infecting an infosecer’s computer. Fortunately, disabling JavaScript and Java is the key to avoid almost all of these drive-by attacks. Going without Java can be hard as I previously discovered. And with almost all sites being AJAXified nowadays it’s practically impossible to get anything working unless JavaScript is enabled. As we recommended before the best approach is whitelisting and NoScript does a pretty good job at that. Of course if you’re visiting a trusted site that’s since been compromised, you’re pretty much out of luck.

Anyway back to Brian’s interesting discovery… Although redacted in the original July RSA FirstWatch report, some of the data led Brain to successfully enumerating the source watering hole. In this case the perpetrators compromised a “curling” website to hold malware and infect visitors using a drive-by attack. And amazingly this “curling” site pulled an IEEE and Brian was able to find Google cached versions of their web server logs. In analyzing these logs, Brian discovered the initial target sites through referrer references. And for those that are interested, those access logs are still cached online as linked in Brian’s article. The attackers compromised these initial target sites and simply added a redirect to the “curling” site via an iframe.

The initial target website profiles included those associated with political activism, the Defense Industrial Base, metro Boston (financial services), and metro DC (government and education). One of the interesting affected sites that Brian pointed out was one for Prince Georges County’s government. But beyond that several of these groupings affect many in the metro DC community in one way or another.

The rest of the article goes on to explain the results of the RSA analysis, including exploits used, number of effected targets, and some insight from a related Symantec report (i.e., Elderwood). But this is a little beyond the more technically interesting content involving the deduction of the curling site, finding the cached webserver logs, and enumerating the initial target sites. Nice find!


Today’s post pic is from KrebsOnSecurity.com. See ya!

5 comments for “Watering Hole Site Pulls an IEEE

  1. September 26, 2012 at 9:50 pm

    Watering Hole Site Pulls an IEEE – http://t.co/YCxT9CNt /HN

  2. September 26, 2012 at 10:12 pm

    Watering Hole Site Pulls an IEEE http://t.co/GxpkhslS

  3. September 27, 2012 at 1:48 am

    BLOGGED: Watering Hole Site Pulls an IEEE http://t.co/uQFrj7mv

  4. September 27, 2012 at 4:06 am

    #NOVABLOGGER: Watering Hole Site Pulls an IEEE http://t.co/45QzLdgQ http://t.co/IntXkFbO

  5. September 27, 2012 at 8:58 pm

    BLOGGED: Watering Hole Site Pulls an IEEE http://t.co/45QzLdgQ

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.