News about the so-called VOHO “watering hole” attacks have faded from the headlines, but the hard work for hundreds of organizations who were victims of the attacks has just begun. The first step for many firms is figuring out if they were victims.
RSA Security is still working through a list of more than a thousand victim organizations to make firms caught up in the VOHO attack aware of the compromise, said Will Gragido, a senior manager on RSA’s FirstWatch Team, which called attention to the attack in a report last week.
“It’s quite a list,” said Gragido. “My team is proactively reaching out to whomever we can in a manner that’s discrete.”
RSA reported that 32,160 unique hosts representing 731 organizations were caught up in the attacks, which were active from June 25 to July 17, 2012 and infected target systems by way of “watering hole” sites such as local banks, municipal government sites and non profit organizations. A smaller number of computers – 3,934 – were actually compromised in the attacks, RSA said last week.
Now RSA, which is the security division of storage firm EMC, is working through that list of 731 firms, presenting them with evidence that their network is caught up in the attack and then helping to connect those organizations with professional digital forensics firms that can uncover the extent of the breach and also clean up malware on the network.
“we’re trying to be a sounding board,” said Gragido. “We’re telling them what we’re seeing and listening to what they’re seeing.”
The attack affected a wide range of the organizations, with concentrations in the defense sector, the Federal Government, corporations, educational institutions, financial services organizations and utilities, RSA said. Consumers connecting through Internet Service Providers (ISPs) were the largest single block of victims, accounting for more than half of the 3,900 victims.
Victims were clustered in the Washington D.C. and Boston Metro areas, with smaller clusters in Metro New York and Northern New Jersey, Gragido said. However, victims spanned the globe with outlier infections found well outside the bounds of the continental U.S.
The chief security officer at one Boston-area financial services firm, who spoke with Security Ledger on the condition of anonymity, said he had two end user systems compromised by way of Rockland Trust – a community bank based in south-eastern Massachusetts that was the source of many of the successful attacks.
The company had 12 employees who visited the Rockland Web site during the period of the attack. Just two were successfully attacked – but that was enough.
“They went right through our firewall with three payloads, all zero days,” he said. After those zero day vulnerabilities were exploited on the target systems, the attack installed a custom version of Gh0stRAT not detected by the organization’s antivirus,” he said.
The organization became aware of the compromise only from a third-party industry source after the RSA report was published, he said.
For organizations affected by the attack, clean up won’t be easy. Compromised systems were infected with a variant of the Gh0stRAT espionage tool that has been linked to “APT” style attacks with links to the Chinese government. The Gh0stRAT application is both modular and stealthy, laying dormant and undetected by anti malware programs, only to spring into action on command from attackers at a later time.
Gh0stRAT infections are typically characterized by lateral movement within infected networks, with attackers harvesting sensitive data and credentials that allow them to move from low value victim systems to higher value systems. Gragido said that any organization compromised in the attack should be investigating well beyond the initial entry points.
“It’s best to go through with trained eye, conduct a proper analysis of the malware and make sure there hasn’t been any lateral movement,” he said.
And removing the infections may be harder now that it has been made public. Those behind the attack appear to be reading the headlines, also. Among other things, infected systems have shifted from listening on port 80 to listening on port 443 after the RSA report called out the use of port 80.
And the VOHO attack described in RSA’s report is almost certainly not the only attack of its kind that’s out there, Gragido warned. “What’s unique about this is that we discovered and identified it early. What’s troubling is that it’s not the only VOHO attack out there. There are more than 250 known variants of Gh0stRAT – we have just one,” he said.