Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2020
03:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Uncover Unsophisticated - But Creative - Watering-Hole Attack

Holy Water campaign is targeting users of a specific religious and ethnic group in Asia, Kaspersky says.

A new malware distribution campaign targeted at users in Asian countries is the latest reminder of why attacks don't always have to be sophisticated to be effective.

The campaign involves the use of watering-hole websites to drop malware on systems belonging to members of a certain Asian religious and ethnic group. The watering holes have been established on more than 10 websites belonging to individuals, voluntary programs, charities, and other organizations related to the targeted religious group. All that users need to do to for malware to be downloaded on their systems is to simply visit the compromised websites.

Researchers from Kaspersky first spotted the campaign last December and have named it "Holy Water." In an advisory this week, the security vendor described the campaign as ongoing and involving the use of an unsophisticated but creative toolset that includes open source code, GitHub distribution, and the use of Go language and Google Drive-based command and communication channels.

According to Kaspersky, when a visitor lands on one of the watering holes, an already compromised component on it loads a malicious JavaScript that harvest information about the visitor's system and sends it off to an external attacker-controlled server. The external server vets the system information to determine whether the user is of potential interest.

If the user is identified as being of interest, another JavaScript loads a plugin that in turn triggers a pop-up urging the user to update their Adobe Flash software. Users who click on the pop-up end up having a backdoor called "Godlike12" installed on their systems. The malware allows the threat actor to take complete remote control of the infected device to steal sensitive data, modify files, gather logs, and conduct other malicious activity, Kaspersky said.

The threat group behind the campaign has also been using a second, modified version of an open source Python backdoor named "Stitch" in the attacks. This backdoor provides the attackers a way to exchange encrypted information with the command-and-control server, the security vendor said in its alert.

Ivan Kwiatkowski, senior security researcher at Kaspersky, says the motive for the Holy Water campaign remains unclear. But it is almost certainly not financially motivated. "Based on the extreme focus of this campaign, we assert that their objective was to gather intelligence on the target population," he says.

Creative Tactics
What makes the campaign different is how creative the attackers have been in their choice of tools, Kwiatkowski says. The Holy Water campaign has been leveraging free, third-party services instead of a proper infrastructure and made use of modified open source backdoors in its early phases.

"To us, this indicates that the attackers had to work with limited funding but were able to find ways to conduct their operations anyway," he says.

None of the tools that Kaspersky found the group using contain any state-of-the-art features. "But it is obvious that the group behind this campaign was able to achieve operational efficiency in a short time span," he says.

Kwiatkowski says Kaspersky has not been able to determine how the attackers initially compromised the websites that are being used as watering holes and planted malware on them. It is likely, though, that they exploited some software vulnerability. All of the water-holed websites that Kaspersky discovered were running WordPress, and a few of them were also hosted on the same IP address, he says.

Kaspersky has also not been able to confirm what information exactly the attackers are looking for in order to determine whether a visitor to one of the watering-hole websites is of interest to them. But based on the system information that is sent to the remote server, it appears the attackers are choosing their victims based on where they are located geographically.

The Holy Water campaign is a reminder why website administrators should keep their software stack up-to-date and have controls for detecting traces of compromise on their machines. "In the case of water-holing attacks, we recommend that measures are taken to detect any unplanned modification to the website's pages," Kwiatkowski says.

Websites that support at-risk communities need to pay attention to such campaigns as well, he adds. "[Such sites] are liable to be targeted as well because they are, in a way, access vectors to potential victims." Kwiatkowski says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
CVE-2020-29020
PUBLISHED: 2021-03-05
Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.620527004 on Hardware.