My friends at Cisco’s TechWiseTV have taken MDM to heart and have offered some keen insight from a geek’s POV (point of view) into MDM. Starting with a primer on MDM, Networking 101: MDM, Jimmy Ray answers the questions on what is MDM and what can it do for my organization in his entertaining and educational white board approach.
“Watering Hole” attacks, as evidenced by the recent attack involving the U.S. Department of Labor, are becoming increasingly popular as alternatives to attacks such as Spear Phishing. In a “Watering Hole” attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the “trusted” site (A.K.A. the “Watering Hole”) and becomes compromised.
Cisco identified suspicious GET requests made to the www.sellagreement.com, a malicious site which was recently linked with the Department of Labor attack. According to the evidence we have, the sites www.kforce.com and www.sbc.net were among those compromised during this attack. The webpages that were serving malicious content from these sites were mostly job-search related, but several requests to www.sellagreement.com lacked a “Referrer:” HTTP header entirely. Read More »
This is the second and final part of my series about security logging in an enterprise.
We first logged IDS, some syslog from some UNIX hosts, and firewall logs (circa 1999). We went from there to dropping firewall logging as it introduced some overhead and we didn’t have any really good uses for it. (We still don’t.) Where did we go next? Read on.
Department of Labor Watering Hole Attack Confirmed to be 0-Day with Possible Advanced Reconnaissance Capabilities
Update 2 5/9/2013:
Microsoft has released a “Microsoft fix it” as a temporary mitigation for this issue on systems which require IE8. At this time, multiple sites have been observed hosting pages which exploit this vulnerability. Users of IE8 who cannot update to IE9+ are urged to apply the Fix It immediately.
An exploit for this bug is now publicly available within the metasploit framework. Users of the affected browser should consider updating to IE9+ or using a different browser until a patch is released. Given the nature of this vulnerability additional exploitation is likely.
At the end of April a Watering Hole–style attack was launched from a United States Department of Labor website. Many are theorizing that this attack may have been an attempt to use one compromised organization to target another. Visitors to specific pages hosting nuclear-related content at the Department of Labor website were also receiving malicious content loaded from the domain dol.ns01.us. Initially it appeared that this attack used CVE-2012-4792 to compromise vulnerable machines; however, Microsoft is now confirming that this is indeed a new issue. This issue is being designated CVE-2013-1347 and is reported to affect all versions of Internet Explorer 8.
Logging is probably both one of the most useful and least used of all security forensic capabilities. In large enterprises many security teams rely on their IT counterparts to do the logging and then turn to the IT logging infra when they need log information. That in itself isn’t bad; however, the needs/requirements for IT may not be a 100% fit for a CIRT. Read on to find out how we handled it.