contemporary aspects of Internet insecurity
Nechukhayeva N.V., Onischenko O.V.
National Metallurgical Academy of
Abstract: Today several interesting trends took shape in terms
of how online attackers go about their business. This article concerns the
“watering hole” trend, using the figures from the research of Symantec
Corporation Internet Security Threat Report 2014. The terms "zero-day
vulnerability" and "watering hole" are analyzed and the
corresponding to them concepts are disclosed.
Key words: a zero-day vulnerability, targeted attack, data
breach, watering hole.
A Zero-Day Vulnerability
Called either Day Zero or Zero-Day, it is an exploit that
takes advantage of a security vulnerability on the same day that the
vulnerability becomes publicly or generally known. Zero-Day exploits are
usually posted by well-known hacker groups. Software companies may issue a
security bulletin or advisory when the exploit becomes known, but companies may
not be able to offer a patch to fix the vulnerability for some time after.
Generally zero day vulnerability refers to a hole in software
that is unknown to the vendor. This security hole is then exploited by hackers
before the vendor becomes aware and hurries to fix it—this exploit is called a
zero day attack. Uses of zero day attacks can include infiltrating malware,
spyware or allowing unwanted access to user information. The term “zero day”
refers to the unknown nature of the hole to those outside of the hackers,
specifically, the developers.
In order for the vendor to rectify the vulnerability, the
software company must release a patch. For example, let us consider the
"Microsoft’s Patch Tuesday". On the second Tuesday of each month,
Microsoft releases security fixes that resolve identified holes. If, however, a
critical vulnerability is discovered, a patch may be released outside of
In 2013 the most sophisticated form of targeted attacks were
so called “watering holes”. First documented in 2011 this sort of attacks
requires the attackers to infiltrate a legitimate site visited by their target,
create a malicious code, and then wait. As a drive-by download tactic, it can
be incredibly potent. For example, the Hidden Lynx09 attacks infected
approximately 4 000 users in one month. Here we have to mention that other
visitors to a "watering-hole" site may occur the intended target, and
are therefore either served with other forms of malware or no malware at all.
This shows that while effective, "watering holes" may be used as a
longer-term tactic, requiring a long time period of patience of the attackers
as they wait for their intended target to visit the site unprompted.
Attackers creating the "watering hole" generally
have to find and exploit a vulnerability in a legitimate website to control and
plant their malicious payload within the site. For example websites carried out
in 2013 by Symantec’s Website Security Solutions division ten found that 77
percent of sites contained vulnerabilities and 16 percent were classified as
critical vulnerabilities. The above shows that it is either permit to access
for sensitive data, alter website content, or compromise a visitor’s computers:
when an attacker looked for a site to compromise, about 13 per cent of sites
were relatively easy to be accessed.
When a website is compromised, the attackers are able to
monitor the logs of the compromised site to see who is visiting the website.
For instance, if they are targeting organizations in the defense industry, they
may look for IP addresses of known defense contractors and if these IP
addresses are in the traffic logs, the attackers may later use the website as
the "watering hole".
Fig.1. Zero -day vulnerabilities (Total
Attackers can even send the malicious payloads to particular
IP address to minimize the level of collateral damage from other people
visiting the site which potentially draws attention to the existence of the
Watering holes have a big influence on exploiting zero-day
vulnerabilities because the chances of the attack being discovered are low. The
number of zero-day vulnerabilities which were used in attacks during 2013
increased, with 23 new ones discovered during the year.
The majority of attacks that used zero-day vulnerabilities
were focused on Java. Java held the top three spots in exploited zero-day
vulnerabilities, responsible for 97 percent of attacks that used zero-day
vulnerabilities after they were disclosed.
One reason why "watering-hole" attacks are becoming
more popular is that users aren’t instinctively suspicious of legitimate
websites that they know and trust. In general such attacks are set up on
legitimate websites that contain specific content of interest to the individual
or group being targeted. The use of zero-day vulnerabilities on legitimate
websites made " watering holes" a very attractive method for
attackers with the resources to make such an attack.
Network Discovery and Data Capture
Fig.2. Attack structure
If attackers successfully compromise an organization they may
traverse the network, attempt to gain access to the domain controller, find
documents of interest, and exfiltrate the data. For long time down loaders were
popular tools used to gain further control within an organization’s network.
These highly universal forms of malicious code allow the download of other
different malware, depending on what may be needed to carry out their
The main reason that attackers use down loaders is that
they’re lightweight and easy to propagate. Once a downloader enters a network
it will, by definition, download more traditional payloads such as Trojan
horses to scan the network, key loggers to steal information typed into
compromised computers, and back doors that can send stolen data back to the
Once on the network, an attacker’s goal is generally to
traverse it further and gain access to various systems. Info-stealing Trojans
are one of the more common payloads that an attacker will deliver. These
Trojans quietly sit on compromised computers gathering account details.
Password-dumping tools are used as well, especially when
encountering an encrypted cache of passwords. These tools allow an attacker to
copy encrypted (or “hashed”) passwords and attempt to “pass the hash,” as it is
known, to exploit potentially vulnerable systems on the network.
The goal for the attacker is to gain elevated privileges on
systems on the network that appeal to them, such as FTP access, email servers,
domain controllers, and so on. Attackers can use these details to log into
these systems, continue to traverse the network, or use them to exfiltrate
Depending on how the system is set up, attackers could take
advantage of a number of flaws within the networks to ultimately allow them to
get to their targeted data. There are some ways attackers can operate:
• First, the attacker needs to gain access to the
corporation’s network that provides access to the PoS (exploiting a retailer’s
point of sale) systems.
• Once the attacker has established a beachhead into the
network, they will need to get to their targeted systems. To achieve this, the
attacker needs to either attempt to exploit vulnerabilities using brute-force
attacks or steal privileged credentials from an employee through an
• The attacker must then plant malware that steals
sensitive financial data, such as network-sniffing tools, which steal card
numbers as they move through internal unencrypted networks, or RAM scraping
• Once the malware is installed, the attacker needs to
wait until enough financial data is collected before ex-filtrating it. The
stolen data is stored locally and is disguised by obfuscating file names and
• When the time comes for the attacker to ex-filtrate
the data, they may use a captured internal system to act as their staging
server. The stolen data will be passed to this server and when the time comes,
the details will be transferred through any number of other internal systems.