Watering-Hole Campaign Spies, Then Seeks Out Cyber-Attack Targets

Hackers compromised a popular industrial engineering Website by using JavaScript to collect information on visitors and log keystrokes.

Watering Hole Spy2

Visitors to a Website dedicated to industrial simulation software and system engineering were secretly monitored by malware that had infected the site in the latest assault on businesses using what's commonly known as a watering-hole attack.

The attack, first reported in a brief Aug. 28 analysis by security firm Alien Vault, involved a legitimate Website compromised by attackers, who then used JavaScript to collect information on visitors' systems and to capture keystrokes. Alien Vault declined to name the site.

The report adds to the growing body of evidence that watering-hole attacks, which compromise Websites with specialized clientele as a way to target the visitors, have become an increasingly popular tool among attackers.

In addition, attackers do not just use the attacks to compromise victims, but also to reconnoiter potential targets and further refine their methods for future attacks, Jaime Blasco, labs director of AlienVault, said in an email interview with eWEEK.

"We are seeing strategic Web compromises in key industries where attackers not only try to compromise visitors but also try to learn about the potential victim's environment, including security software, in order to plan and launch future attacks," he said. "The code we found in the servers was only doing collection and keylogging on the affected Websites."

In the latest attack, dubbed "Scanbox" by Alien Vault, the attackers collected information on victims, including their location, type of browser used, screen size, domains, language and operating system. In addition, the script has a number of plug-ins that gather information on other applications running on the system, including security software and the versions of commonly targeted programs, such as Office, Java and Adobe's Flash and Acrobat.

"This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launch future attacks against them," Blasco writes in the analysis.

Watering-hole attacks have become an increasingly common component in the toolbox of nation-state cyber-attackers, which are generally considered the most sophisticated adversaries.

Since December 2012, when Chinese groups allegedly compromised the Council on Foreign Relations' Website as a way of targeting potential policy experts and government officials, a variety of Chinese groups have used watering-hole attacks, also known as Strategic Website Compromises (SWCs), to conduct reconnaissance and make it easier to hack specific targets.

"Attackers still have to clear the first hurdle of compromising and weaponizing a legitimate Website, but once that is done, there are advantages to using an SWC attack over spear-phishing," the report stated. "One is that, as security awareness increases, potential victims are becoming attuned to look for spear-phishing emails, and if they recognize them, they can thwart attackers at the outset."

In the past, attackers have compromised the U.S. Department of Labor's Website, which then attempted to infect visitors' computers through a zero-day exploit in Internet Explorer 8. Websites that serve professionals in critical-infrastructure industries are also a common intermediate target of watering-hole attacks.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...