Watering hole attack uses Adobe Flash update warnings

News by Chandu Gopalakrishnan

Kaspersky discovered watering hole websites targeting Asian ethnic group; preferred method for toppers in ATP Who’s Who, said CYFIRMA researchers

Kaspersky researchers have discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. 

“The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels,” wrote Kaspersky researchers Ivan Kwiatkowski, Félix Aime, Pierre Delcher.

The campaign, which “has been active since at least May 2019”, seems to target an Asian religious and ethnic group. However, its operational target was not clear because the researchers were not able to observe many live operations, and could not identify any overlap with known intrusion sets, said the report.

This is the most recent example of watering hole attacks discovered by Kaspersky reported, Kaspersky principal security researcher David Emm told SC Media UK

“In January this year, we detected watering-hole attacks aimed at residents of Hong Kong, in which the malware, LightSpy for iOS, was installed on victims’ smartphones. The malware landed on the phones when the victims visited one of several web sites disguised as local news resources — the attackers simply copied the code of real news outlets and created their own clones,” he said.  

The attackers used the lookalike sites to load iOS exploits onto victims’ phones, resulting in the installation of LightSpy. Links to the fake sites were distributed through forums popular with people in Hong Kong.

CYFIRMA researchers described watering hole as the type of attack in which cyber-criminals assess the browsing behaviour of the target -- individual, organisation, industry, sector or region -- to infect the websites they typically visit. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes. 

This type of attack is generally used for financial gain and typically the user’s machine is transparently compromised via a drive-by download attack that provides no clues to the user that his or her machine has been attacked, said the team -- delivery and operations president Saurabh Lal, manager Nageswaran Jegannathan, and senior analyst Soushikta Chowdhury -- in an email to SC Media UK.

They listed the attack as a four-step process:

1.      First, the attacker profiles a target organisation, group or sector to determine the types of websites that its users most frequently visit.

2.      Attacker then scans those websites for weaknesses and vulnerabilities.

3.      Using vulnerabilities on the website, they compromise the frequently-visited website and waits for a user at the target organisation to visit the website.

4.      They then use malicious code injected into the compromised website to infect the user’s machine, gain access to the network, and then move laterally to other systems as needed to achieve their objective.

The latest Kaspersky report listed eight websites in which live watering holes were running during the time of publishing the report. 

“Kaspersky alerted the targeted web sites and all of them are now disabled. In addition, we provided the local CERT with all the relevant information, including our private reports on this campaign. So, for now at least, the attack has been thwarted.  However, that’s not to say that this threat actor will not look to build new campaigns,” Emm told SC Media UK.

Number of APTs groups have historically used watering hole attacks and they continue to use this technique, said CYFIRMA researchers. Names such as OceanLotus of suspected Vietnamese state-sponsored group APT 32;  Turla APT of Russia; Gothic Panda of Chinese group APT3; MISSION2025 aka suspected Chinese state-sponsored threat actor APT 41 feature in CYFIRMA’s radar. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews