The security firm shows how hackers can create tailored attacks by intercepting WER data.
Websense has uncovered an advanced persistent threat (APT) campaign using zero-day exploits after it researched 16 million crash reports from Windows Error Reporting (WER) last year.
WER reports information that hackers commonly use to find and exploit weak systems, such as OS, service pack and update versions. It is utilised on 80% of network-connected PCs, equating to more than one billion endpoints worldwide.
Alex Watson, security research director at Websense, told CBR how any attacker intercepting this data can create "a precise blueprint" of a target’s hardware and software network, which can be used to create tailored attacks.
"It’s a targeted attack like a lot of attacks we see, it starts out with an email campaign to a select group of people within an organisation. That email will contain a link that would exploit Microsoft Internet explorer when the link was clicked," he explained.
"We reversed those exploits, found a location for it to crash and created a fingerprint for (in the event that the exploit failed) what the crash report would look like. We then searched 16 million reports over a four month period and ended up finding a total of five reports that matched our fingerprint from four different organisations," he explained.
The security firm found targeted attacks that had made it past a leading mobile network operator’s and government agency’s security defences.
"What we found that in both of those two organisations, both the government agency and mobile network operator had Houdini H-Worm, a remote access Trojan (RAT), beginning back starting on the same day as the failed exploit attempt happened," he said.
Watson said the security industry needs to move away from signature-based defences and include more intelligence around anomalies and network behaviour as hackers improve techniques to break into security systems.
"We’re building this into products right now and it’s something that we wanted to get organisations thinking about – how to uncork techniques like anomaly detection into their defences. And if it’s not something that the organisation has resources to build themselves, it’s something that they should look for or ask for in their security product," he said.