The attacks that compromised computer systems at Facebook, Twitter, Apple Corp. and Microsoft were part of a wide-ranging operation that relied on many “watering hole” web sites that attracted employees from prominent firms across the U.S., The Security Ledger has learned. The assailants responsible for the cyber attacks used at least two mobile application development sites as watering holes in addition to the one web site that has been disclosed: iPhoneDevSDK.com. Still other watering hole web sites used in the attack weren’t specific to mobile application developers – or even to software development. Still, they served almost identical attacks to employees of a wide range of target firms, across industries, including prominent auto manufacturers, U.S. government agencies and even a leading candy maker, according to sources with knowledge of the operation. More than a month after the attacks came to light, many details remain under tight wraps. Contacted by The Security […]
Search Results for "watering hole"
Yesterday the news was that Apple Inc. was yet another victim of a widespread watering-hole style attack on prominent firms, including Facebook and (probably) Twitter. But that list of victims will almost certainly rise, as more information about the watering hole web site and the extent of the breach become public. First, what we know: Twitter, Facebook and now Apple have all made announcements in the last week about security breaches at their organizations that involved staff computers being infected with malware. Twitter was the first company to go public with the information on February 2nd. But the company said at the time that other firms were likely to have been breached, also. Facebook followed suit, announcing that its employees, also, were targeted in the attack. According to Facebook’s Chief Security Officer, Joe Sullivan, the company’s employees were compromised using a previously unknown (zero day) Java vulnerability after visiting a […]
Say you’re a “bad guy” and what you really want to do is compromise the systems of some high value targets – like software developers working a prominent, Silicon Valley firms like Facebook and Twitter. Breaking through the front door isn’t easy – these companies mostly have the technology chops to protect their networks and employees. Phishing e-mails are also a tough sell: the developer community is heavy on Apple Mac systems and – besides – application developers might be harder to phish than your average Fortune 500 executive. A better approach might be to let your prey come to you – attacking them passively by gaining control of a trusted third party web site – a so-called “watering hole.” That’s a scenario that has played out in a number of recent, high profile attacks, such as the so-called “VoHo” attacks documented by Symantec and RSA. It may also be […]
In-brief: Software security holes in widely used industrial equipment known as “power quality analysers” (sp) could enable remote attackers to disrupt or corrupt operations at firms across industries, according to a report released by the firm Applied Risk.