Drive-by Compromise

From attackics
Jump to navigation Jump to search
Drive-by Compromise
Technique
ID T817
Tactic Initial Access
Data Sources Packet capture, Network device logs, process use of network, Web proxy, Network intrusion detection system, SSl/TLS inspection

Description

Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.

The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.

The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors.1 Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.


Procedure Examples

  • ALLANITE leverages watering hole attacks to gain access into electric utilities.2
  • Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.3
  • Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.4
  • OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks.5
  • XENOTIME utilizes watering hole websites to target industrial employees.6
  • Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure.7