Researchers at cybersecurity company ESET have discovered "watering hole" attacks. The attack targeted government websites, online media pages, as well as websites of Internet service providers and aerospace / military technology companies.
Watering-hole is the term used in cybersecurity to describe a targeted strategic attack in which cybercriminals infect a site that they believe is a fertile environment with potential victims. They then wait for the malware to enter the computers of the victims who visited the site. In essence, the word "waterhole" refers to where the animals go to drink water, which makes them vulnerable to predators.
The campaign sites are owned by media outlets in the United Kingdom, Yemen and Saudi Arabia, as well as Hezbollah, government agencies in Iran (Foreign Ministry), Syria (including the Ministry of Energy website ) and Yemen (including the Ministries of Interior and Finance), Internet service providers in Yemen and Syria, and aerospace / military technology companies in Italy and South Africa.
At the same time, cybercriminals cloned a site of a medical trade show in Germany. The website belonged to the MEDICA trade show of the World Medical Forum held in Düsseldorf, Germany.
The campaign appears to have strong ties to Candiru, an Israeli spy company recently blacklisted by the US Department of Commerce, which sells state-of-the-art offensive software tools and related services to government agencies.
"In 2018, we at ESET developed a custom system to locate watering holes on high-profile websites," said ESET researcher Matthieu Faou, who unveiled the watering hole campaigns. "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been infected with malicious JavaScript code. "The high-profile nature of our target made an impression and in the following weeks we noticed that other websites with links in the Middle East were also targets."
"The team was silent until January 2021, when we noticed a new wave of violations. "This second wave lasted until August 2021, when all the websites were cleaned up again as they did in 2020 - most likely by the perpetrators themselves."
In this campaign, some visitors to these websites were most likely attacked through a browser exploit. However, ESET investigators were unable to detect any exploits or parts of the malware. This shows that cybercriminals have chosen to limit the focus of their operations and do not want to reveal their zero-day exploits, which shows how targeted this campaign is. Violated websites are used only as a starting point to reach the final goals.
It is very likely that the people in charge of the watering hole campaigns are Candiru customers. The creators of the documents and the operators of the watering holes are also potentially the same. As Israeli Candiru was recently added to the US Commerce Department's list of financial sanctions, this means that a US-based organization will not be able to work with Candiru without first obtaining permission from the Commerce Department.
"A blog post by Citizen Lab of the University of Toronto that talked about Candiru in the section 'A Saudi-Linked Cluster?' reported a spearphishing document uploaded to VirusTotal and several domains managed by attackers. "Domain names are variants of genuine URL shorteners and web analytics websites, which is the same technique used for domains seen in watering hole attacks," explains Faou, linking the attacks to Candiru.
At the end of July 2021, shortly after the publication of blogposts by Citizen Lab, Google and Microsoft detailing Candiru's activities, ESET ceased to see activity from this company. The pilots seem to be taking a break, most likely to reorganize and disguise their campaign. ESET Research expects them to return in the coming months.
For more technical details on these Web site attacks in the Middle East, read the blogpost “Strategic web compromise in the Middle East with a pinch of Candiru”At WeLiveSecurity.