Watering hole attacks, where saboteurs infect websites of interest to their targets, are a “tried and true attack vector” that bad actors continue to revisit as evidenced by a Sept. 4 attack that put a Fortune 1000 company on alert, security researchers found.
Bromium Labs was contacted by the company, a customer, after one of its LAVA sensors had detected an attack aimed at “potential viewers of a technology start-up [website] in the oil and gas sector," the firm noted in a blog post.
The timing of the attack, days after the oil and gas company publicized “a sizable funding grant,” led researchers to believe that saboteurs anticipated “more traffic to the website and hoped to increase their chances of a successful infection.”
ONG companies are attractive targets to attackers keen on stealing IP and sensitive data. “This particular example took our attention as the attackers targeted the ONG tech start-up company days after they were in the news for having secured new funding for their technology,” Rahul Kashyap Chief Security Architect & Head of Security Research at Bromium, told SCMagazine.com in a Wednesday email correspondence. “Ultimately, the user who visited this site was someone in a U.S. Fortune 1000 manufacturing company who was viewing this company after the announcement. This shows a classic end-to-end scenario of how such attacks proliferate organizations.”
What Bromium found was malware that leveraged the CVE-2013-7331 vulnerability, which at that time was unpatched and had already been exploited in the wild by various exploit kits.
“The trojan dropped was fairly sophisticated. It had obfuscation, anti-debugging, vm-detection, used an unpatched IE vulnerability (CVE-2013-7331) and some classic social engineering tricks,” said Kashyap. “The dropped malware was a tool for installing other malicious programs on the infected system.” Its authors, he said, “could sell the infected systems as a 'vacant spot' for further malware installs.”
The script on the compromised web server leveraged the XMLDOM vulnerability to look for Kaspersky and Trend Micro drivers on the victim's computer. Bromium researchers theorize that the attackers had tested the malware with those engines and were aware that they could detect it. What followed was a series of redirects. One cookie-based redirect modified .JS files; another led to plain iframe and a third hijacked “onmouseover and onhover events of the page DOM.”