Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.
The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.
The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. [1] Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.
ID | Name | Description |
---|---|---|
G1000 | ALLANITE |
ALLANITE leverages watering hole attacks to gain access into electric utilities. [2] |
S0606 | Bad Rabbit |
Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. [3] |
G0035 | Dragonfly |
Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany. [4] |
G0049 | OilRig |
OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. [2] |
G0088 | TEMP.Veles |
TEMP.Veles utilizes watering hole websites to target industrial employees. [5] |
ID | Asset |
---|---|
A0001 | Workstation |
ID | Mitigation | Description |
---|---|---|
M0948 | Application Isolation and Sandboxing |
Built-in browser sandboxes and application isolation may be used to contain web-based malware. |
M0950 | Exploit Protection |
Utilize exploit protection to prevent activities which may be exploited through malicious web sites. |
M0921 | Restrict Web-Based Content |
Restrict browsers to limit the capabilities of malicious ads and Javascript. |
M0951 | Update Software |
Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. |
DS0022 | File | File Creation |
Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing. |
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data. |
Network Traffic Content |
Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code. |
||
DS0009 | Process | Process Creation |
Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk. |