Cyberespionage, another watering hole attack against US website

Pierluigi Paganini December 31, 2012

It’s Christmas time everywhere but cyberspace there isn’t holiday time for governments, last week a new cyber espionage attack has been detected, the website for the Council on Foreign Relations (CFR) was compromised.

The CFR is a strategic target for espionage, it is one of the most elite foreign policy organizations in the United States with a membership of some 4,700 officials, former officials, journalists, and others.

The institutional website was used to exploit a new Internet Explorer zero-day vulnerability in Windows machine of the users,  the technique used, dubbed watering hole attack, is not new, security experts described it as part of a cyber espionage campaign named   “The Elderwood Project” dating back to 2009 and detailed in a publication of Symantec in September 2012.

The “watering hole” attack consists to inject malicious code onto the public Web pages of a site that the targets use to visit. The method of injection is commonly used by cyber criminals and hackers, the main difference between their use in cybercrime and in watering hole attacks is related to the choice of websites to compromise and use in the attacks. The attackers haven’t indiscriminately compromised any website but they are focused choosing websites within a particular sector so as to infect persons of interest who likely work in that same sector and are likely to therefore visit related websites.

The Symantec report states:

“Targeting a specific website is much more difficult than merely locating websites that contain a vulnerability. The attacker has to research and probe for a weakness on the chosen website. Indeed, in watering hole attacks, the attackers may compromise a website months before they actually use it in an attack. Once compromised, the attackers periodically connect to the website to ensure that they still have access. This way, the attackers can infect a number of websites in one stroke, thus preserving the value of their zero-day exploit. They are even in a position to inspect the website logs to identify any potential victims of interest. This technique ensures that they obtain the maximum return for their valuable zero-day exploit.”

Once a victim visits the compromised site, the software for which the 0-days have been designed will make possible the infection of the machine.

The cyber espionage campaign seems to be originated, once again, from China and principal security firms have received  multiple reports of a new Internet Explorer zero-day vulnerability being exploited in the wild, the compromised site was used to infect machines serving up the zero day exploit as far back as December 21st.

The FireEye security company published a blog post on the attack, hackers have deployed on the website the malicious code that allow exploiting of Internet Explorer version 8.0 (fully patched version).

“We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.”

An interesting feature of the JavaScript hosting the exploit is that it only served the malicious code to browsers whose language was either English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian:

var h=navigator.systemLanguage.toLowerCase();
if(h!=”zh-cn” && h!=”en-us” && h!=”zh-tw” && h!=”ja” && h!=”ru” && h!=”ko”)

The blog reports the details of infection method:

“Once those initial checks passed, the JavaScript proceeded to load a flash file today.swf, which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint. Once the browser is exploited, it appears to download “xsainfo.jpg,” which is the dropper encoded using single-byte XOR (key: 0x83, ignoring null bytes).“

FireEye experts revealed that In description parameter of MD5 of malicious files  they found simplified Chinese <文件说明> , that translates to <File Description>.

Waterhole_Attack from Symantec

The malicious code has been removed but it is not clear if the operation has been done by attackers to prevent further analysis or by the manager of CFR website that detected the malware.

Symantec security experts reported in a post:

“A flash file named today.swf was used to trigger the vulnerability in Internet Explorer. The flash file is detected asTrojan.Swifi and protection has been in place for our customers since December 21st. Further details and analysis will be provided soon.”

The Council on Foreign Relations spokesman, David Mikhail, declared:

“The Council on Foreign Relations’ website security team is aware of the issue and is currently investigating the situation,” “We are also working to mitigate the possibility for future events of this sort.”



Microsoft has officially acknowledged the exploited vulnerability in an official advisory, which contains some advice to mitigate the threat from the flaw to the browser, the company confirmed that browser IE versions 9 and 10 are not impacted.

Pierluigi Paganini

you might also like

leave a comment