Watering hole attacks on ministry and media websites

Researchers at cybersecurity company ESET have discovered "watering hole" attacks. The attack targeted government websites, online media pages, as well as websites of Internet service providers and aerospace / military technology companies.

Watering-hole is the terminology used in cybersecurity to describe a targeted strategic attack in which cybercriminals infect a website they believe is a fertile environment for potential victims. Then they wait for it to enter software on the computers of victims who visited that website. Essentially, the word "waterhole" refers to the place where animals go to drink water, which makes them vulnerable to predators.

watering hole

The websites that fell victim to this particular campaign belong to media at , την Υεμένη και τη Σαουδική Αραβία, καθώς και στη Χεζμπολάχ, σε κυβερνητικούς φορείς στο Ιράν (Υπουργείο Εξωτερικών), τη Συρία (μεταξύ των οποίων και η ιστο of the Department of Energy) and Yemen (including the Ministries of Interior and Finance), to Internet service providers in Yemen and Syria, and to aerospace/military technology companies in Italy and South Africa.

At the same time, cybercriminals cloned a medical trading website in Germany. The website belonged to the MEDICA trade fair of the World Medical Forum held in Dusseldorf, Germany.

The campaign appears to have strong ties to Candiru, an Israeli spy company recently blacklisted by the US Department of Commerce, which sells state-of-the-art offensive software tools and related services to government agencies.

"In 2018, we at ESET developed a custom system to detect watering holes on high-profile websites," says ESET researcher Matthieu Faou, who uncovered the watering hole campaigns. "On July 11 , το σύστημά μας μάς ειδοποίησε ότι η ιστοσελίδα της ιρανικής πρεσβείας στο Άμπου Ντάμπι είχε μολυνθεί με κακόβουλο JavaScript. We were impressed by the high-profile nature of the target, and over the next few weeks we noticed that other websites with Middle Eastern connections were also targets."

"OR σίγησε μέχρι τον Ιανουάριο του 2021, όταν παρατηρήσαμε ένα νέο κύμα παραβιάσεων. Αυτό το δεύτερο κύμα διήρκεσε μέχρι τον Αύγουστο του 2021, όταν όλες οι ιστοσελίδες καθαρίστηκαν και πάλι όπως συνέβη το 2020 – πιθανότατα από τους ίδιους τους δράστες”, προσθέτει.

In this campaign, some visitors to these websites were most likely attacked through a browser exploit. However, ESET investigators were unable to detect any exploits or parts of the malware. This shows that cybercriminals have chosen to limit the focus of their operations and do not want to reveal their zero-day exploits, which shows how targeted this campaign is. Violated websites are used only as a starting point to reach the final goals.

It is very likely that the people in charge of the watering hole campaigns are Candiru customers. The creators of the documents and the operators of the watering holes are also potentially the same. As Israeli Candiru was recently added to the US Commerce Department's list of financial sanctions, this means that a US-based organization will not be able to work with Candiru without first obtaining permission from the Commerce Department.

"A University of Toronto Citizen Lab blogpost discussing Candiru, under the heading 'A Saudi-Linked Cluster?' mentioned some spearphishing document uploaded to VirusTotal and more που διαχειρίζονται οι επιτιθέμενοι. Τα ονόματα των domain είναι παραλλαγές γνήσιων URL shorteners και ιστοσελίδων web analytics, η οποία είναι η ίδια τεχνική που χρησιμοποιείται για τα seen in watering hole attacks," Faou explains, linking the attacks to the Candiru company.

At the end of July 2021, shortly after the publication of blogposts by Citizen Lab, Google and Microsoft detailing Candiru's activities, ESET ceased to see activity from this company. The pilots seem to be taking a break, most likely to reorganize and disguise their campaign. ESET Research expects them to return in the coming months.
For more technical details on these Web site attacks in the Middle East, read the blogpost “Strategic web compromise in the Middle East with a pinch of Candiru”At WeLiveSecurity.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
watering hole, eset, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).