Why is the Watering Hole Technique Effective?

Late last week, the Council of Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

Microsoft has then issued a security advisory for the vulnerability and provided some workarounds, to serve as protection until a solution is released. Trend Micro users, however, are already protected through Trend Micro Deep Security, specifically through the following rules:

  • 1005297 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792)
  • 1005301 – Identified Suspicious JavaScript Encoded Window Location Object
  • 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated

The abovementioned rules are set to detect all known variants of exploits.

The use-after-free vulnerability in Microsoft Internet Explorer enables remote attackers to execute arbitrary code execution. As stated in Microsoft’s blog, we have also observed that all the reported targeted attacks so far have been triggered by an encoded or obfuscated JavaScript Window Location objects which is generally used to change the location object of the current window. The vulnerability is with cButton object which has been freed but its reference was used again during the page reload will point to an invalid memory location yielding arbitrary code execution under the context of the current user. Microsoft Internet Explorer versions 6, 7, and 8 are affected, but newer versions such as IE9 & IE 10 are not affected by this vulnerability.

Old but Effective

My colleagues have discussed before that watering hole attacks are not new. In fact, usage of such technique was seen as early as 2009. At the same time, however, they also think that watering hole attacks will become more prevalent in the future, and will be used specifically for targeted attacks. But why?

A possible answer to that would be one of Raimund’s forecasts for 2013, wherein he said that attackers will focus more on improving how they deploy the threats, and not on the development of malware. Attackers will leverage on information that they can gather on their targets before conducting the attack, in order to come up with a more effective way to get to their targets.

If we look at how a watering hole attack works, we’ll see that the methods used are very much familiar to us. However, the strategic placing of the threat itself makes it threatening in a more different level than any other web compromise or 0-day attack, in the same way that a spear phishing email is more effective than the typical spam emails. Attackers are able to generate strong social engineering methods by leveraging their knowledge of their target’s profile, thus eliminating the need for creating very sophisticated tools. And this is something that users must fully realize, because the attackers are no longer just using software vulnerabilities, they’re also using the users themselves.

As both Tom and Nart have said, we will likely see more watering hole attacks in the coming year, thus it is important for users to come up with a solution that is just as strategic as this attack is, or even more.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Why is the Watering Hole Technique Effective?

Read more: Why is the Watering Hole Technique Effective?

Story added 31. December 2012, content source with full text you can find at link above.