Drive-by Compromise

Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.

The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.

The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. [1] Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.

ID: T0817
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
G1000 ALLANITE

ALLANITE leverages watering hole attacks to gain access into electric utilities. [2]

S0606 Bad Rabbit

Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. [3]

G0035 Dragonfly

Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany. [4]

G0049 OilRig

OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. [2]

G0088 TEMP.Veles

TEMP.Veles utilizes watering hole websites to target industrial employees. [5]

Targeted Assets

ID Asset
A0001 Workstation

Mitigations

ID Mitigation Description
M0948 Application Isolation and Sandboxing

Built-in browser sandboxes and application isolation may be used to contain web-based malware.

M0950 Exploit Protection

Utilize exploit protection to prevent activities which may be exploited through malicious web sites.

M0921 Restrict Web-Based Content

Restrict browsers to limit the capabilities of malicious ads and Javascript.

M0951 Update Software

Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.

DS0022 File File Creation

Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.

Network Traffic Content

Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.

DS0009 Process Process Creation

Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.

References