DNS Poisoning Hits Kenya Google, MSN, Skype...
15 Apr 2013 08:14 AM
The Websense® ThreatSeeker® Network has detected that a DNS poisoning attack is happening in Kenya, with local big name websites in information technology targeted including Google, Bing, and LinkedIn. Although DNS records point to a page on behalf of the attackers that lets the browsing user know about the hack, it could easily be replaced with a malicious page at will.
Below is the snapshot in Websense ThreatSeeker Network.
This is another attack issued by the so called Bangladeshi Hacker Group, the hacker group that has defaced 700,000 websites in the past and recently targeted prominent sites in Malawi (February 2013). In the Kenya campaign, from zone-h.com (a website tracking defaced websites), we could cross reference and confirm that the following well-known websites have been affected.
Websense customers are protected by our Advanced Classification Engine with real-time detection intelligence.
APT1: A Prevention Perspective
20 Feb 2013 07:01 PM
There's been increased interest in targeted attacks and advanced persistent threats in the news lately, from the intrusions on large media outlets and hacks on social networking sites to a recent detailed report of the tactics behind the infiltration of a sophisticated attack family dubbed "APT1". Much of the controversy swirling around these reports stems from the attempt to identify the perpetrators behind the attacks -- a decidedly difficult enterprise. While the balance of evidence presented for APT1 does appear to point toward authorship in China (after exhaustive analysis), sophisticated attacks are faceless at the moment of attempted compromise.
Here are a few data points we've already put together from our own analysis of the ThreatSeeker Network:
- We have observed more than 2,000 unique cases of APT1 attacks since 2011 against all major industry segments.
- China has a disproportionately large share of web-based attack traffic in the United States.
- For example, in February 0.49 percent of all web requests from US manufacturing companies land on servers in China. 11.21 percent of all malicious web requests from US manufacturing companies land on servers in China. If you're looking at traffic patterns, that's more than a 20X traffic disparity toward malware.
- US news & media companies are also disproportionately driven to malware located in China: legitimate requests to China make up 7.47 percent of overall traffic, whereas China's portion of all malicious traffic goes up to 21.21 percent.
- As the APT1 report suggests, China currently has much less web-based attack traffic originating from the rest of the world at 0.76 percent. That may change.
A more interesting question than authorship for us is: "How can you proactively stop targeted attacks like APT1?" Signatures are obviously not the answer. Here are some of the ways that we block APT1 along the kill chain without the need for signature updates:
- Full content scanning within SSL, including preventing rogue certificates and criminal encryption (as we blogged about previously)
- File sandboxing (find two examples of APT1's telltale behavior in ThreatScope reports here and here)
- URL sandboxing in e-mails to prevent spear phishing
- Data loss prevention technology to fingerprint and identify legitimate data as it exits
- Dynamic DNS request interception
- Web reputation / destination awareness. Many domains, hosts, IP addresses, and even ASNs used by APT1 have been classified for years. Block known compromised hosts for the hops and the outbound C&C traffic.
One trend that you can confidently predict: the attackers will continue to adapt and get smarter, and the techniques to thwart them will need to do the same.