Researchers at cybersecurity company ESET have discovered "watering hole" attacks. The attack targeted government websites, online media pages, as well as websites of Internet service providers and aerospace / military technology companies.
Watering-hole, i.e. “water"hole," is the terminology used in cybersecurity to describe a targeted strategic attack in which cybercriminals infect a site they believe is a fertile environment for potential victims. They then wait for the malware to get onto the computers of victims who visited that site. Essentially, the word "waterhole" refers to the place where animals go to drink water, which makes them vulnerable to predators.
The websites that fell victim to this particular campaign belong to media outlets in the United Kingdom, Yemen and Saudi Arabia, as well as Hezbollah, government agencies in Iran (Ministry of Foreign Affairs), Syria (including the Department of Energy website), and Yemen (including the Departments of Interior and Finance), to Internet service providers in Yemen and Syria, and to aerospace/military technology companies in Italy and South Africa .
At the same time, cybercriminals cloned a medical trade show website on Germany. The website belonged to the MEDICA trade show of the World Medical Forum held in Dusseldorf, Germany.
The campaign appears to have strong ties to Candiru, an Israeli espionage company recently blacklisted by the US Department of Commerce, which sells sophisticated offensive software tools and related services to government agencies.
"In 2018, we at ESET developed a custom system to locate watering holes on high-profile websites," said ESET researcher Matthieu Faou, who unveiled the watering hole campaigns. "On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been infected with malicious JavaScript code. "The high-profile nature of our target made an impression and in the following weeks we noticed that other websites with links in the Middle East were also targets."
"The team was silent until January 2021, when we noticed a new wave of violations. "This second wave lasted until August 2021, when all the websites were cleaned up again as they did in 2020 - most likely by the perpetrators themselves."
In this campaign, some visitors to these websites were most likely attacked through a browser exploit. However, ESET investigators were unable to detect any exploits or parts of the malware. This shows that cybercriminals have chosen to limit the focus of their operations and do not want to reveal their zero-day exploits, which shows how targeted this campaign is. Violated websites are used only as a starting point to reach the final goals.
It is very likely that the people in charge of the watering hole campaigns are Candiru customers. The creators of the documents and the operators of the watering holes are also potentially the same. As Israeli Candiru was recently added to the US Commerce Department's list of financial sanctions, this means that a US-based organization will not be able to work with Candiru without first obtaining permission from the Commerce Department.
“Ενα blogpost του Citizen Lab του Πανεπιστημίου του Τορόντο που μιλούσε για την Candiru, στην ενότητα με τίτλο ‘A Saudi-Linked Cluster?' ανάφερε κάποιο έγγραφο spearphishing που ανέβηκε στο VirusTotal και πολλά domain που διαχειρίζονται οι επιτιθέμενοι. Τα ονόματα των domain είναι παραλλαγές γνήσιων URL shorteners και ιστοσελίδων web analytics, η οποία είναι η ίδια technique used for the domains seen in the watering hole attacks," Faou explains, linking the attacks to the Candiru company.
At the end of July 2021, shortly after the publication of blogposts by Citizen Lab, Google and Microsoft detailing Candiru's activities, ESET ceased to see activity from this company. The pilots seem to be taking a break, most likely to reorganize and disguise their campaign. ESET Research expects them to return in the coming months.
For more technical details on these Web site attacks in the Middle East, read the blogpost “Strategic web compromise in the Middle East with a pinch of Candiru”At WeLiveSecurity.
