State-sponsored hackers are using watering hole attacks to hijack trusted websites and transform them into Frankenstein malware distribution tools.
The issue was uncovered by security firm Context and its chief executive Mark Raeburn said there had been a marked increase in the number of attacks targeting businesses, confirming hackers have hit websites belonging to big name firms, such as Information Handling Services (IHS).
"In this case the predatory tiger was a state-sponsored attacker and the prey was the target companies visiting the site," he said. "Our Response Team picked up traffic beaconing activity from a remote access Trojan (RAT) known as PlugX, which gives an attacker control over a compromised host and is suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups."
Context senior consultant Nick Mazitelli told V3 the news is particularly troubling as many of the companies have military and government contracts or are involved in areas of critical infrastructure. Mazitelli said the sophistication of the attack combined with the atypical user of watering hole, as opposed to basic phishing, is also problematic.
“The key difference with the watering hole method of attack is the breadth of organisations potentially affected by it. Using a popular website in this manner means that a large number of organisations can be attacked and compromised in a short amount of time. However, for individual organisations that may have been compromised by the attack the outcome remains the same: a determined, aggressive and capable attacker on their network and the potential loss of sensitive or confidential information,” he said.
“Once the compromise progresses beyond this initial attack, i.e. once the attacker has developed a foothold through the watering hole, the compromise will progress in much the same way as it would following the use of attack methods that have been more prevalent historically, for example phishing emails. So the potential damage remains at the same high level, with a capable attacker expanding their control of the compromised network and harvesting sensitive information.”
Context reported the change in tactic also indicates the new campaign is state sponsored. The firm highlighted a group known as both “FlowerLady” and “FlowerShow” as the most likely suspect. The group is believed to be of Chinese origin and has a track record of mounting opportunistic attacks on Western companies with economic, technological or military significance.
Raeburn said many of the infected sites have already been wiped clean and is unclear how many web users have fallen victim to the scam. He said added that the threat can easily be mitigated if companies implement up-to-date security practices and protection tools.
"Phishing campaigns are often seen as the primary, or only, avenue of compromise when it comes to targeted attacks, but companies need to be more aware of the threat from alternative vectors such as watering hole attacks and take measures to identify malicious activity and mitigate the risks, regardless of the source," said Raeburn.
"Better awareness and activity monitoring, including information from across the network and down to the level of individual PCs, is vital and should be combined with a robust programme of proactive security improvement."
The attack is one of many believed to be state sponsored detected this year. The South Korean government recently reported uncovering evidence linking North Korea to a wave of attacks on its networks.