Wednesday, April 19, 2017

Watering hole attack

While spear-phishing is the most common means of delivery attackers will also compromise Websites commonly used by their targets as a means of delivery. This method of delivery is referred to as watering hole attacks. The term watering hole refers to the hunting method whereby a hunter waits for their prey at a watering hole, knowing that eventually, the target will come for a drink. Watering hole attacks work by modifying a compromised Website’s code so that when users view the Website an exploit is delivered to the victim browser.This exploit is in turn used to install malicious code on the system.
Least commonly, the sophisticated attackers have been found to use malicious code placed on USB keys. These are either left where target users will find them or even maileddirectlytothetargets.ExploitcodeisusedontheUSBdevicesothatwhenusers
accessthedevicetheexploitcodewillinstall maliciouscodeonto theusersystem.
Also as part of stage one the attackers will configure C2 (command and control)
servers to be use do verthecourseoftheattack.TheseC2serversareoftencompromised
hosts at legitimate organizations but can also be hosting servers obtained legitimately.
In particular, attackers prefer servers at places such as large universities, as these are
unlikely to be blocked by common prevention mechanisms like Web proxy filters
commonly employed by organizations today.
The final major aspect of the preparation is the creation of the backdoors to be
employed against the target organization.Theattackersgenerallyhaveseveralvariants
of their backdoor with slightly different characteristics. Some groups will even use
commonlyavailableRATs(RemoteAccessTrojans)suchasPoisonIvyandconfigure
them to use the appropriate C2s. Many of the attackers have tools that will weaponize
legitimate PDF or office documents. Weaponization is the process of turning a legitimate file into a malicious one. If for instance, the individuals share a particular
industry in common, the attackers might find are levant industry conference in the near
future and download an actual agenda PDF file from the conference Website. They
mightthenweaponizethatPDForsimplyuseinformationfromthefiletoaddtotheir
spear-phish to add realism and improve their chances for the targeted users to fall for
the spear-phish.
Computer Security Handbook, Set - Seymour Bosworth Copy






DHCP relay agents instead of multiple routers

What do you think is the benefit of using DHCP relay agents instead of multiple routers acting as DHCP servers? Each router works har...