Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.
The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.
The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. [1] Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.
| ID | Name | Description |
|---|---|---|
| G1000 | ALLANITE |
ALLANITE leverages watering hole attacks to gain access into electric utilities. [2] |
| S0606 | Bad Rabbit |
Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. [3] |
| G0035 | Dragonfly |
Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany. [4] |
| G0049 | OilRig |
OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. [2] |
| G0088 | TEMP.Veles |
TEMP.Veles utilizes watering hole websites to target industrial employees. [5] |
| ID | Asset |
|---|---|
| A0001 | Workstation |
| ID | Mitigation | Description |
|---|---|---|
| M0948 | Application Isolation and Sandboxing |
Built-in browser sandboxes and application isolation may be used to contain web-based malware. |
| M0950 | Exploit Protection |
Utilize exploit protection to prevent activities which may be exploited through malicious web sites. |
| M0921 | Restrict Web-Based Content |
Restrict browsers to limit the capabilities of malicious ads and Javascript. |
| M0951 | Update Software |
Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. |
| DS0022 | File | File Creation |
Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing. |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data. |
| Network Traffic Content |
Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code. |
||
| DS0009 | Process | Process Creation |
Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk. |