Cyberespionage, another watering hole attack against US website

It’s Christmas time everywhere but cyberspace there isn’t holiday time for governments, last week a new cyber espionage attack has been detected, the website for the Council on Foreign Relations (CFR) was compromised.

The CFR is a strategic target for espionage, it is one of the most elite foreign policy organizations in the United States with a membership of some 4,700 officials, former officials, journalists, and others.

The institutional website was used to exploit a new Internet Explorer zero-day vulnerability in Windows machine of the users,  the technique used, dubbed watering hole attack, is not new, security experts described it as part of a cyber espionage campaign named   “The Elderwood Project” dating back to 2009 and detailed in a publication of Symantec in September 2012.

The “watering hole” attack consists to inject malicious code onto the public Web pages of a site that the targets use to visit. The method of injection is commonly used by cyber criminals and hackers, the main difference between their use in cybercrime and in watering hole attacks is related to the choice of websites to compromise and use in the attacks. The attackers haven’t indiscriminately compromised any website but they are focused choosing websites within a particular sector so as to infect persons of interest who likely work in that same sector and are likely to therefore visit related websites.

The Symantec report states:

“Targeting a specific website is much more difficult than merely locating websites that contain a vulnerability. The attacker has to research and probe for a weakness on the chosen website. Indeed, in watering hole attacks, the attackers may compromise a website months before they actually use it in an attack. Once compromised, the attackers periodically connect to the website to ensure that they still have access. This way, the attackers can infect a number of websites in one stroke, thus preserving the value of their zero-day exploit. They are even in a position to inspect the website logs to identify any potential victims of interest. This technique ensures that they obtain the maximum return for their valuable zero-day exploit.”

Once a victim visits the compromised site, the software for which the 0-days have been designed will make possible the infection of the machine.

The cyber espionage campaign seems to be originated, once again, from China and principal security firms have received  multiple reports of a new Internet Explorer zero-day vulnerability being exploited in the wild, the compromised site was used to infect machines serving up the zero day exploit as far back as December 21st.

The FireEye security company published a blog post on the attack, hackers have deployed on the website the malicious code that allow exploiting of Internet Explorer version 8.0 (fully patched version).

“We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.”

An interesting feature of the JavaScript hosting the exploit is that it only served the malicious code to browsers whose language was either English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian:

var h=navigator.systemLanguage.toLowerCase();
if(h!=”zh-cn” && h!=”en-us” && h!=”zh-tw” && h!=”ja” && h!=”ru” && h!=”ko”)
{
  location.href=”#”;
}

The blog reports the details of infection method:

“Once those initial checks passed, the JavaScript proceeded to load a flash file today.swf, which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint. Once the browser is exploited, it appears to download “xsainfo.jpg,” which is the dropper encoded using single-byte XOR (key: 0x83, ignoring null bytes).“

FireEye experts revealed that In description parameter of MD5 of malicious files  they found simplified Chinese <文件说明> , that translates to <File Description>.

Waterhole_Attack from Symantec

The malicious code has been removed but it is not clear if the operation has been done by attackers to prevent further analysis or by the manager of CFR website that detected the malware.

Symantec security experts reported in a post:

“A flash file named today.swf was used to trigger the vulnerability in Internet Explorer. The flash file is detected asTrojan.Swifi and protection has been in place for our customers since December 21st. Further details and analysis will be provided soon.”

The Council on Foreign Relations spokesman, David Mikhail, declared:

“The Council on Foreign Relations’ website security team is aware of the issue and is currently investigating the situation,” “We are also working to mitigate the possibility for future events of this sort.”

 

 

Microsoft has officially acknowledged the exploited vulnerability in an official advisory, which contains some advice to mitigate the threat from the flaw to the browser, the company confirmed that browser IE versions 9 and 10 are not impacted.

Pierluigi Paganini

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.