The researchers of the cyber security company ESET discovered attacks of the type "watering hole”, δηλαδή εκστρατείες στρατηγικών παραβιάσεων ιστότοπων. Η συγκεκριμένη επίθεση είχε στόχο κυβερνητικούς ιστότοπους, online σελίδες μέσων ενημέρωσης, καθώς και ιστότοπους παρόχων υπηρεσιών διαδικτύου και εταιρειών αεροδιαστημικής/στρατιωτικής τεχνολογίας.
Watering-hole is the term used in cybersecurity to describe a targeted strategic attack in which cybercriminals infect a site that they believe is a fertile environment with potential victims. They then wait for the malware to enter the computers of the victims who visited the site. In essence, the word "waterhole" refers to where the animals go to drink water, which makes them vulnerable to predators.
The campaign sites are owned by media outlets in the United Kingdom, Yemen and Saudi Arabia, as well as Hezbollah, government agencies in Iran (Foreign Ministry), Syria (including the Ministry of Energy website ) and Yemen (including the Ministries of Interior and Finance), Internet service providers in Yemen and Syria, and aerospace / military technology companies in Italy and South Africa.
At the same time, cybercriminals cloned a site of a medical trade show in Germany. The website belonged to the MEDICA trade show of the World Medical Forum held in Düsseldorf, Germany.
Η εκστρατεία φαίνεται να έχει ισχυρούς δεσμούς με την Candiru, μια ισραηλινή εταιρεία κατασκοπείας που συμπεριλήφθηκε πρόσφατα στη μαύρη λίστα του Υπουργείου Εμπορίου των ΗΠΑ, και η οποία πουλάει υπερσύγχρονα εργαλεία λογισμικού επιθετικού χαρακτήρα και σχετικές services to government agencies.
"In 2018, we at ESET developed a custom system to locate watering holes on high-profile websites," said ESET researcher Matthieu Faou, who unveiled the watering hole campaigns. "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been infected with malicious JavaScript code. "The high-profile nature of our target made an impression and in the following weeks we noticed that other websites with links in the Middle East were also targets."
"The team was silent until January 2021, when we noticed a new wave of violations. "This second wave lasted until August 2021, when all the websites were cleaned up again as they did in 2020 - most likely by the perpetrators themselves."
In this campaign, some visitors to the specific websites may have been attacked through a browser exploit. However, ESET researchers were unable to detect either an exploit or any part of the malware. This shows that cybercriminals have chosen to narrow the focus of their operations and do not want to reveal the zero-day their exploits, which demonstrates how targeted this campaign is. Hacked websites are only used as a starting point to approach the end goals.
It is very likely that the people in charge of the watering hole campaigns are Candiru customers. The creators of the documents and the operators of the watering holes are also potentially the same. As Israeli Candiru was recently added to the US Commerce Department's list of financial sanctions, this means that a US-based organization will not be able to work with Candiru without first obtaining permission from the Commerce Department.
“Ενα blogpost του Citizen Lab του Πανεπιστημίου του Τορόντο που μιλούσε για την Candiru, στην ενότητα με τίτλο ‘A Saudi-Linked Cluster?' ανάφερε κάποιο έγγραφο spearphishing που ανέβηκε στο VirusTotal και πολλά domain που διαχειρίζονται οι επιτιθέμενοι. Τα ονόματα των domain είναι παραλλαγές γνήσιων URL shorteners και ιστοσελίδων web analytics, η οποία είναι η ίδια τεχνική που χρησιμοποιείται για τα domains seen in watering hole attacks," Faou explains, linking the attacks to the Candiru company.
At the end of July 2021, shortly after the publication of blogposts by Citizen Lab, Google and Microsoft detailing Candiru's activities, ESET ceased to see activity from this company. The pilots seem to be taking a break, most likely to reorganize and disguise their campaign. ESET Research expects them to return in the coming months.
For more technical details on these Web site attacks in the Middle East, read the blogpost “Strategic web compromise in the Middle East with a pinch of Candiru”At WeLiveSecurity.
