On June 8, 2012, Internet Identity—now part of Infoblox—was contacted by a client whose employees had downloaded what appeared to be an Internet Explorer zero-day compromise, putting network systems and resources at risk of being compromised by malware. Having a limited view, and not having seen this specific malicious activity on its network before, the team at this large organization wanted more details about the malware, how severe the threat was, and how they could remediate potential risks.
The malware had been introduced through two attack vectors: spear-phishing that targeted employees and malicious files hosted within directories at news websites that employees would likely visit. This “water holing” technique focuses an attack on an organization through indirect means—using Internet locations within the organization’s online ecosystem that employees are likely to visit by habit or association.
Further analysis determined that the malicious actors behind this attack used a source code element called “Elderwood.” As reported in September, 2012, by Symantec (The Elderwood Project), this group of cyber criminals has very sophisticated methods of operation and has been targeting several industries for years. Utilizing exploits of widely used software that circumvent all conventional anti-virus detection methods, these dangerous attacks are a growing trend and can have a devastating impact on an organization’s Internet integrity. The resulting exfiltration of proprietary data and communications can jeopardize an organization’s assets, and the total cost of recovery and repair can reach into the millions of dollars.
Within two hours, Infoblox supplied members of the community with a series of high priority action alerts containing confirmed threat indicators.
The organization under attack knew they did not possess the necessary knowledge to detect, diagnose, and mitigate this threat across their network. So they turned to their trusted peer community, using Infoblox ActiveTrust products to gain comprehensive and actionable intelligence as quickly as possible. By tapping this collective pool of information, Infoblox’s Threat Intelligence team immediately determined that the threat was severe—classified by the client’s staff as APT and executing remote shellcode with keystroke loggers on workstations with privileged access to sensitive data.
Furthermore, Infoblox requested that trusted peer community members report related activity or malicious indicators that their internal teams might have seen through research and operations activities. While functioning as the central threat intelligence coordination point for this community, Infoblox threat analysts kept digging in the hours that followed. They discovered related MD5s, IP addresses, malicious host names, and other tangible threat elements, and reported that information to the community in clear, easily processed formats.
This prevented duplication of research efforts within the community and allowed security operations professionals to quickly focus on mitigating related threats seen on their networks. For those who did not yet see related activity or impact, the early-warning advantage of collective threat intelligence enabled proactive prevention of losses associated with this widespread and growing attack.
Having coordinated efforts within the community and gathered all available intelligence within one business day, Infoblox issued a comprehensive report on the attack that confirmed Elderwood was targeting many large organizations. This report went out to the customer community, enabling preventive action.
Through a collective effort that produced timely and actionable intelligence, dozens of large organizations were able to prevent employees and systems from connecting with malicious Internet locations. The clients with networks that were already infected could recognize these hits within the flow of their normal operations and immediately clean infected machines and quickly work to identify breaches. This effort was made possible through the shared trust and participation of all the organizations in the community.
Infoblox ActiveTrust leverages collective intelligence from its network of security experts, including those at the world’s largest banks and government organizations.
**Image 1** Water holing targets financial services, government agencies, and the defense industry, and has been seen used in the Aurora, Ghostnet, and VOHO attacks. Sites likely to be visited by members of target organizations are used to introduce malware, usually a variant of zero-day Gh0st RAT.
**Image 2** Sharing information among a user community and getting collective intelligence on attack vectors and methods keeps victims from having to ask, “Is it just us, or is someone else getting hit by this attack?”