German Lancioni – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Tue, 10 Sep 2019 19:27:32 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png German Lancioni – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 How Visiting a Trusted Site Could Infect Your Employees https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/how-visiting-a-trusted-site-could-infect-your-employees/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/how-visiting-a-trusted-site-could-infect-your-employees/#respond Tue, 10 Sep 2019 19:27:32 +0000 https://securingtomorrow.mcafee.com/?p=96681

The Artful and Dangerous Dynamics of Watering Hole Attacks A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole […]

The post How Visiting a Trusted Site Could Infect Your Employees appeared first on McAfee Blogs.

]]>

The Artful and Dangerous Dynamics of Watering Hole Attacks

A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole attack.

How Does it Work?

Your organization is an impenetrable fortress that has implemented every single cybersecurity measure. Bad actors are having a hard time trying to compromise your systems. But what if the weakest link is not your organization, but a third-party? That is where an “island hopping” attack can take apart your fortress.

 “Island hopping” was a military strategy aimed to concentrate efforts on strategically positioned (and weaker) islands to gain access to a final main land target.

One relevant instance of “island hopping” is a watering hole attack. A watering hole attack is motivated by an attackers’ frustration. If they cannot get to a target, maybe they can compromise a weaker secondary one to gain access to the intended one? Employees in an organization interact with third-party websites and services all the time. It could be with a provider, an entity in the supply chain, or even with a publicly available website. Even though your organization may have cutting edge security perimeter protection, the third parties you interact with may not.

In this type of attack, bad actors start profiling employees to find out what websites/services they usually consume. What is the most frequented news blog? Which flight company do they prefer? Which service provider do they use to check pay stubs? What type of industry is the target organization in and what are the professional interests of its employees, etc.?

Based on this profiling, they analyze which one of the many websites visited by employees is weak and vulnerable. When they find one, the next step is compromising this third-party website by injecting malicious code, hosting malware, infecting existing/trusted downloads, or redirecting the employee to a phishing site to steal credentials. Once the site has been compromised, they will wait for an employee of the target organization to visit the site and get infected, sometimes pushed by an incentive such as a phishing email sent to the employees. Sometimes this requires some sort of interaction, such as the employee using a file upload form, downloading a previously trusted PDF report or attempting to login on a phishing site after a redirection from the legitimate one. Finally, bad actors will move laterally from the infected employee device to the desired final target(s).

Figure 1: Watering Hole Attack Dynamics

Victims of a watering hole attack are not only the final targets but also strategic organizations that are involved during the attack chain. As an example, a watering hole attack was discovered in March 2019, targeting member states of the United Nations by compromising the International Civil Aviation Organization (ICAO) as intermediate target[1]. Because the ICAO was a website frequented by the intended targets, it got compromised by exploiting vulnerable servers. Another example from last year is a group of more than 20 news and media websites that got compromised as intermediate targets to get to specific targets in Vietnam and Cambodia[2].

Risk analysis

Because this kind of attack relies on vulnerable but trusted third-party sites, it usually goes unnoticed and is not easily linked to further data breaches. To make sure this potential threat is being considered in your risk analysis, here are some of the questions you need to ask:

  • How secure are the websites and services of the entities I interact with?
  • Are the security interests of third parties aligned with mine? (Hint: probably not! You may be rushing to patch your web server but that does not mean a third-party site is doing the same).
  • What would be the impact of a watering hole attack for my organization?

As with every threat, it is important to analyze both the probability of this threat as well as how difficult it would be for attackers to implement it. This will vary from organization to organization, but one generic approach is to analyze the most popular websites. When checking the top one million websites around the world, it is interesting to note that around 60%[3] of these are using Content Management Systems (CMSs) such as WordPress, Joomla or Drupal.

This creates an extra challenge as these popular CMSs are statistically more likely to be present in an organization’s network traffic and, therefore, are more likely to be targeted for a watering hole attack. It is not surprising then that dozens of vulnerabilities on CMSs are discovered and exploited every month (around 1000 vulnerabilities were discovered in the last two years for just the top 4 CMSs[4]). What is more concerning is that CMSs are designed to be integrated with other services and extended using plugins (more than 55,000 plugins are available as of today). This further expands the attack surface as it creates the opportunity of compromising small libraries/plugins being used by these frameworks.

Consequently, CMSs are frequently targeted by watering hole attacks by exploiting vulnerabilities that enable bad actors to gain control of the server/site, modifying its content to serve a malicious purpose. In some advanced scenarios, they will also add fingerprinting scripts to check the IP address, time zone and other useful details about the victim. Based on this data, bad actors can automatically decide to let go when the victim is not an employee of the desired company or move further in the attack chain when they have hit the jackpot.

Defending against watering hole attacks

As organizations harden their security posture, bad actors are being pushed to new boundaries. Therefore, watering hole attacks are gaining traction as these allows bad actors to compromise intermediate (more vulnerable) targets to later get access to the intended final target. To help keep your organization secure against watering hole attacks, make sure you are including web protection. McAfee Web Gateway can help provide additional defense against certain class of attacks even when the user is visiting a site that’s been compromised by a watering hole attack, with behavior emulation that aims to prevents zero-day malware in milliseconds as traffic is processed. You may also want to:

  • Build a Zero Trust model, especially around employees visiting publicly available websites, to make sure that even if a watering hole attack is targeting your organization, you can stop it from moving forward.
  • Regularly check your organization’s network traffic to identify vulnerable third-party websites that your employees might be exposed to.
  • Check the websites and services exposed by your organization’s providers. Are these secure enough and properly patched? If not, consider the possibility that these may become intermediate targets and apply policies to limit the exposure to these sites (e.g. do not allow downloads if that is an option).
  • When possible, alert providers about unpatched web servers, CMS frameworks or libraries, so they can promptly mitigate the risk.

Dealing with watering hole attacks requires us to be more attentive and to carefully review the websites we visit, even if these are cataloged as trusted sites. By doing so, we will not only mitigate the risk of watering hole attacks, but also steer away from one possible pathway to data breaches.

[1] https://securityaffairs.co/wordpress/81790/apt/icao-hack-2016.html

[2] https://www.scmagazine.com/home/security-news/for-the-last-few-months-the-threat-group-oceanlotus-also-known-as-apt32-and-apt-c-00-has-been-carrying-out-a-watering-hole-campaign-targeting-several-websites-in-southeast-asia/

[3] “Usage of content management systems”, https://w3techs.com/technologies/overview/content_management/all

[4] “The state of web application vulnerabilities in 2018”, https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/

The post How Visiting a Trusted Site Could Infect Your Employees appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/how-visiting-a-trusted-site-could-infect-your-employees/feed/ 0
Cryptojacking is Soaring, and “Stegware” Makes it a Stealth Bomber https://securingtomorrow.mcafee.com/business/cryptojacking-soaring-stegware-makes-stealth-bomber/ https://securingtomorrow.mcafee.com/business/cryptojacking-soaring-stegware-makes-stealth-bomber/#respond Fri, 16 Mar 2018 21:26:55 +0000 https://securingtomorrow.mcafee.com/?p=86281 With Bitcoin becoming resource-intensive to mine, and several cryptocurrency platforms arising as alternatives, more bad actors are jumping into cryptojacking: the unsolicited use of your device to mine cryptocurrency. This is becoming a dangerous threat that sometimes targets web systems, while other times infiltrates consumer or enterprise devices. When a consumer device is targeted by […]

The post Cryptojacking is Soaring, and “Stegware” Makes it a Stealth Bomber appeared first on McAfee Blogs.

]]>
With Bitcoin becoming resource-intensive to mine, and several cryptocurrency platforms arising as alternatives, more bad actors are jumping into cryptojacking: the unsolicited use of your device to mine cryptocurrency. This is becoming a dangerous threat that sometimes targets web systems, while other times infiltrates consumer or enterprise devices.

When a consumer device is targeted by cryptojacking, immediate effects appear because of the mining operation. Sometimes the system performance is not consistent with the expected user workload. Similarly, when the attack targets an enterprise device such as a server, these indicators will be there, although maybe harder to identify. In fact, when the mining script is correctly configured, a throttled CPU usage might be concealed as a slightly higher server usage in accordance with theoretically higher demand. Verifying these facts? Not an easy task.

The purpose of a cryptojacking attack is essentially revenue, so it makes sense that high-value assets (involving significant CPU or GPU resources) will be targeted. Recent reports reveal that manufacturing and financial services industries together constitute more than 55% of the systems affected by cryptojacking attacks (1). In one recent example, the Smominru Monero botnet has produced around $3 million running a mining operation with more than 500k compromised hosts (2).

Several cryptojacking attacks are using steganography, which is used as a mechanism to conceal and deliver the malicious mining script.

With security solutions maturing, bad actors need to think about new strategies to convey the attacks. That’s where “stegware”, malware hidden with steganography, comes in handy. As previously discussed (3), steganography is a very good vehicle for concealing an attack. In the case of cryptojacking, delivering the mining script is all the attacker requires. For that purpose, carriers such as an image file are used to hide the script. Then, taking advantage of either vulnerabilities (or features) already present in the services exposed by servers, the image is planted and the mining script can be executed. This technique is so effective that in some cases, bad actors won’t use actual steganography, just a fake image file, which is enough to bypass security solutions.

In a similar way, web-based cryptojacking attacks are poisoning hundred of websites (by either taking advantage of web server exploits or via “malvertising”) to mine cryptocurrency when a user visits a webpage. Essentially, an image (for example an ad) is placed somewhere so the mining script can be extracted and executed via the user device resources. Fortunately, popular browsers have already implemented measures to detect this activity and shut it down.

But even with monitored devices such as servers, differentiating between a legitimate increased server demand and a cryptojacking attack may not always be that simple. If the mining script is correctly configured, an infected server process using a slightly higher amount of CPU would be on a gray area, but not necessarily spotted as an anomaly.

 Collateral Damage

The fact that a mining script is extensively consuming resources such as CPU or GPU constitutes a potential risk to the system and its components. When devices are stressed by the extra load of mining, CPU, GPU and heat dissipation mechanisms are more active than usual. This increases energy consumption and could rapidly deteriorate system components. Although this is not the purpose of cryptojacking, we can’t ignore the consequences, as it may constitute a sort of “denial of service” when critical infrastructure is compromised. A cryptojacking botnet compromising servers may not disrupt a business, but it surely introduces some challenges to the operation.

Less Headache, More Benefits

In comparison with ransomware, cryptojacking might be more attractive to cybercriminals. Essentially, both attacks will produce revenue. However, while a ransomware attack becomes obvious once the ransom is requested, a stealthy cryptojacking has better chances of being undetected (especially when steganography is assisting the attack). Also, if a cryptojacking attack is discovered, it’s very hard to trace it back to the source, because of the intrinsic anonymity of cryptocurrency. Add to that the fact that the victim may not have enough incentive to go after the author (since “no damage” was produced), and it’s clear why this attack provides more benefits and fewer headaches than ransomware.

Staying Alert

Because no evident damage is produced, fighting cryptojacking requires a trained eye. Look for anomalies related to either performance, overheating, or failing components. The more data you have, the better you will be able to spot an attack. Determining the cause of a device or server being stressed is not easy, but that’s where you should start. Also, other indicators such as unknown processes or unknown images being downloaded can help you trace the path to a mining script.

The post Cryptojacking is Soaring, and “Stegware” Makes it a Stealth Bomber appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cryptojacking-soaring-stegware-makes-stealth-bomber/feed/ 0
What’s Hidden in That Picture Online? Seeing Through “Stegware” https://securingtomorrow.mcafee.com/business/seeing-through-stegware/ https://securingtomorrow.mcafee.com/business/seeing-through-stegware/#respond Mon, 16 Oct 2017 22:00:50 +0000 https://securingtomorrow.mcafee.com/?p=80095 Steganography is the practice of hiding data within other text or data, and has been widely used for centuries, from ancient Greeks hiding messages within wax tablets, to agents concealing enemy information within doll orders during World War II, to prisoners-of-war blinking in Morse Code to get a message through. As they say, what’s old, […]

The post What’s Hidden in That Picture Online? Seeing Through “Stegware” appeared first on McAfee Blogs.

]]>
Steganography is the practice of hiding data within other text or data, and has been widely used for centuries, from ancient Greeks hiding messages within wax tablets, to agents concealing enemy information within doll orders during World War II, to prisoners-of-war blinking in Morse Code to get a message through. As they say, what’s old, is new again, and bad actors are now embracing stegware (a malicious operation involving steganography as a vehicle to conceal an attack).

The way steganography works is by concealing a payload inside the bits of a carrier file (e.g. an image). The interesting part is that this stealthy operation keeps the carrier untouched from a content perspective, so nobody will notice that the image has been modified.

 “Stegware refers to any malicious operation involving steganography as a vehicle to conceal an attack”

Recent cyberattacks have demonstrated the versatility of steganography in both brand new and well-known attacks. It is interesting to notice that steganography plays the role of a vehicle to conceal attacks, providing one big advantage to cybercriminals: it exponentially multiplies the success rate of the attack. For example: without steganography, security researchers may be able to tackle a malvertising campaign within the range of days or weeks. However, a campaign launched with the stealthy help of steganography could be running for months or years before it is detected.

Using steganography, cybercriminals can repump old attacks and rewrap them as stegware to bypass security solutions. They can then re-launch an attack and surpass several security checkpoints, as steganography provides the concealed channel to do so. Consequently, the ROI of a depreciated cyberattack tactic becomes interesting again.

“The usage of steganography exponentially multiplies the success rate of both brand new and well-known cyberattacks”

Scenarios

Steganography has been successfully used for data exfiltration, espionage, concealed communications, C2/botnets orchestration, malvertising and ransomware propagation, among others. Below is a list of examples how stegware operates in each case:

  • An employee decides to steal some sensitive files… With today’s security systems, this would be noticed using classic approaches. However, using steganography the sensitive files are encoded into images. By doing so, the images can be uploaded to social networks or cloud storage services without triggering red flags.
  • A group of cybercriminals is attempting to communicate and synchronize attacks from different countries… Since they can’t go through standard communication channels, they decide to conceal secret messages into profile pictures of social accounts. That way, they can emulate a ‘chat service’ by uploading and downloading unsuspicious profile photos using whitelisted services.
  • A massive botnet has been deployed and is awaiting instructions… Any attempt of communication from a central server to the bots is likely to be discovered, eventually. Instead of using a server, the bots are configured to periodically download the feed (text and images) of a public social account. By decoding steganographic data from the feed, instructions are extracted and executed.
  • A malicious campaign is planned to affect millions of users, but the perpetrators want to keep it as secret as possible… Since the goal is to exploit a browser vulnerability, they use steganography to conceal malicious code into advertisement images. To reach a large audience quickly, they submit the banner to networks that distribute the image over hundreds of websites. By doing so, the propagation is guaranteed and the campaign revenue is huge.
  • A new ransomware attack hides the communication between the victims and the perpetrator… Using steganography, information harvested from the target system is encoded into pictures uploaded to an image hosting website. Thanks to this tactic, the ransomware campaign deployment remains hidden for a longer period.

Unfortunately, all the examples stated above are based on real cases. Although many of these attacks were eventually spotted, the amount of time and effort required to detect and stop stegware was (and continues to be) huge. The result is a very good opportunity for cybercriminals.

Stay secure

Certainly, this is not a good picture to paint. However, if you can identify at least one scenario in which stegware might compromise your security, you will be one step ahead. By considering stegware as a possibility and following standard security practices, you will be able to start off on the right foot to mitigate this threat.

It’s with this in mind, we developed the McAfee Steganography Defense Initiative, to mitigate stegware and help you stay secure in multiple scenarios. If you want to learn more about this, visit the McAfee’s Steganography Defense Initiative page.

For more on “Stegware” and for updates from MPOWER17 follow us on Twitter at @McAfee.

The post What’s Hidden in That Picture Online? Seeing Through “Stegware” appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/seeing-through-stegware/feed/ 0