|Data Sources||Packet capture, Network device logs, process use of network, Web proxy, Network intrusion detection system, SSl/TLS inspection|
Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.
The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.
The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors.1 Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.
- ALLANITE leverages watering hole attacks to gain access into electric utilities.2
- Dragonfly 2.0 utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.3
- Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.4
- OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks.5
- XENOTIME utilizes watering hole websites to target industrial employees.6
- Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure.7
- Application Isolation and Sandboxing - Built-in browser sandboxes and application isolation may be used to contain web-based malware.
- Exploit Protection - Utilize exploit protection to prevent activities which may be exploited through malicious web sites.
- Update Software - Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.
- NCAS. (2018, March 15). Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 11, 2019.
- Eduard Kovacs. (2018, May 10). 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK. Retrieved January 3, 2020.
- Symantec. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 14, 2017.
- ICS-CERT. (2017, October 21). Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 23, 2017.
- Eduard Kovacs. (2018, May 21). Group linked to Shamoon attacks targeting ICS networks in Middle East and UK. Retrieved January 3, 2020.
- Chris Bing. (2018, May 24). Trisis masterminds have expanded operations to target U.S. industrial firms. Retrieved January 3, 2020.
- Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.