Defend against puduch attacks: Use a secure Virtual Machine

As more and more enterprises filter or restrict employee email and Internet access in large quantities to prevent phishing attacks and other Web-based attacks, attackers began to seek other methods to trick users into accessing malicious websites.
For example, the website of the US Diplomatic Relations Commission (CFR) was recently attacked by Internet Explorer, but the final target was not CFR. Attackers use the watering hole attack technology to attack enterprise users who access the CFR website. Attackers are looking for alternative methods to attack companies with valuable information, and the puduch attack has proved to be an effective penetration method.
In this article, we will discuss the methods used by the pool attacks and how enterprises can use the security of virtual machines (VMS) to defend against them.
　　Puduch Technology
A puduch attack is a variant of a pivot attack. In a pivot attack, attackers can transfer from one system (initial victim) to another system (intended target ). These attacks target legitimate websites that employees of target enterprises may access. Because of its widespread use, these websites may be included in the white list or approved by various security tools of target enterprises and enterprises.
The goal of a puduch attack is to use malware to infect users from the target enterprise, so as to gain a foothold in the enterprise's system or network. Once the malware is installed, attackers can exploit this access permission to attack other parts of the network. It is said that the method is mainly used for targeted spyware attacks, while the zero-day vulnerabilities in Adobe Reader, Java Runtime Environment (JRE), Flash, and IE are used to install malware.
Although the methods of attacks are not common at present, it is a typical attack mode to attack low-security targets to reach high-security targets, which is also a headache for the security department. The low security target may be a business partner, a supplier connected to an enterprise network, or an insecure wireless network in a coffee close to the target.
The target website can also use the advertising network to launch a flood attack. This involves inserting malicious website ads or malicious ads (text or images) into Jump ads that will be sent to different websites.
　Is a safe virtual machine a solution?
Defense Against Standard malware is the starting point to defend against all types of flood attacks, but the target enterprise should also deploy additional security control. The most noteworthy defense method is to use a secure VM. Enterprises can run their web browsers in a virtual environment. In a virtual environment, only limited connections to other production systems are allowed, you can also use tools such as Invincea virtual containers to restrict access to the local system. This helps isolate tools or systems used to access Untrusted Content, reducing the risk of being infected by untrusted systems. These virtual environments can be used only for the approval of specific interactions of untrusted systems, such as browsing websites that may be used for puduch attacks, or these virtual environments can be extended to run a complete VM to perform untrusted work, such as opening attachments in an email. The complete VM can be a one-time VM, which needs to be re-built each time, so that the malware will not be stored in the VM.
Once a malware is in a browser, remember that it may be able to access all the content that the browser can access, even in a virtual environment. If an infected system accesses an internal or external website, the malware can also capture passwords and sensitive data, or attack other systems from a virtual environment. To prevent such attacks, enterprises can delete or disable the most commonly used targeted software in risk systems, including JRE, Flash, Adobe Reader, and IE.
To prevent websites from being used to perform such attacks, enterprises can deploy the process to ensure that their websites do not have malware. Enterprises can use the same technology as the one used to protect Web 2.0 applications when checking whether the website has malware. Some services can check for potential malware on a daily basis. However, daily checks may not be sufficient due to frequent changes in some web content. Google's services can check the malware in the website to help protect their search engine users. Comodo and GeoTrust also provide similar services.
RSA also reported that stolen File Transfer Protocol (FTP) certificates can be used to publish malicious content on infected websites. Using FTP to manage enterprise websites is highly risky because user names and passwords are transmitted over the network without being encrypted, and attackers may block these passwords to publish malicious content. Enterprises can configure their web servers to use a read-only file system for the web servers that provide content, but this does not affect the database-driven websites, that is, use a website that allows content to be published or from a third-party content. All these methods require a secure web server. The exploitation of web server vulnerabilities cannot be used to attack the underlying operating system.
　　Summary
Although the information security risk caused by the flood attack is very low, enterprises must always be prepared, because this targeted attack is quite efficient. Attackers use different attack methods to infect workstations and gain a foothold in the network. To defend against these attacks, enterprises need to protect their endpoints and adopt the principle of in-depth defense. At the same time, enterprises with websites should also protect their websites, because the websites may be used as channels for flood attacks.