Watering-hole attacks target energy sector

Read time 2min 30sec
The attacks infect legitimate and frequently visited Web sites as a means of broadening reach.
The attacks infect legitimate and frequently visited Web sites as a means of broadening reach.

A slew of watering-hole attacks targeting oil and energy companies, starting in May this year, have possible links to attacks against the US Department of Labor Web site.

Watering-hole attacks infect legitimate and frequently visited Web sites as a means of broadening reach and avoiding blacklists. The infected Web site is not the mark, but the launching pad to infect a targeted victim list when the site is visited.

In a Cisco blog, security researcher Emmanuel Tacheau says, from May, the company noticed a number of "malicious redirects" that seemed to be part of a watering-hole style attack targeting the oil and energy industry. The structure consists of several compromised domains, containing a malicious iFrame, some of which play the role of redirector and others the role of malware host.

He says the malware employed in these attacks is a Trojan that captures system configurations, clipboard and keyboard data, and establishes an encrypted connection to a command and control server in Greece.

Encounters from the infected Web pages resulted from both direct browsing to the compromised sites or via searches that seemed legitimate and harmless.

"This is consistent with the premise of a watering-hole style attack that deliberately compromises Web sites likely to draw the intended targets, versus spear phishing or other means to entice the intended targets through illicit means."

However, what the company says is interesting is that of the 10 compromised Web sites, six were hosted on the same server, apparently serviced by the same Web design company, and three of the six were owned by the same parent company.

"This is likely an indication the sites were compromised via stolen login credentials, possibly a result of infection with the design firm or their hosting provider."

Possible connection?

Threatpost reported that, as the target companies were in the energy sector, it is likely that cyber crooks were trying to infect machines within that sector to exfiltrate intellectual property.

The target sites

* An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
* A company that owns multiple hydro-electric plants throughout the Czech Republic and Bulgaria;
* A natural gas power station in the UK;
* A gas distributor located in France;
* An industrial supplier to the energy, nuclear and aerospace industries; and
* Various investment and capital firms that specialise in the energy sector.

The Department of Labor attacks mentioned earlier used an IE 8 zero-day vulnerability, and infected the department's site exposure matrices Web site with Java script that redirected targets to the notorious Poison Ivy RAT.

The vulnerability was patched, but not before the attacks spread to nine other sites. Both the timing of the two attacks, and the exploit used to accomplish them led researchers to believe there could be a connection.

To protect against these attacks, Cisco says users should keep machines and Web browsers fully patched, to lower the number of vulnerabilities that can be exploited by attackers. All of the infected sites were notified and most have been cleaned up.

Login with