Register to stream ATT&CKcon 2.0 October 29-30

Drive-by Compromise

A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation.

Multiple ways of delivering exploit code to a browser exist, including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, cross-site scripting.
  • Malicious ads are paid for and served through legitimate ad providers.
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring. [1]

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

ID: T1189
Tactic: Initial Access
Platform: Windows, Linux, macOS
Permissions Required: User
Data Sources: Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection
Version: 1.0

Procedure Examples

Name Description
APT19 APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets. [18]
APT32 APT32 has infected victims by tricking them into visiting compromised watering hole websites. [22]
APT37 APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly. [16] [6]
APT38 APT38 has conducted watering holes schemes to gain initial access to victims. [23]
BRONZE BUTLER BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks. [9]
Dark Caracal Dark Caracal leveraged a watering hole to serve up malicious code. [17]
Darkhotel Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware. [24]
Dragonfly 2.0 Dragonfly 2.0 compromised legitimate organizations' websites to create watering holes to compromise victims. [8]
Elderwood Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector. [10] [11] [12]
KARAE KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure. [6]
Lazarus Group Lazarus Group delivered RATANKBA to victims via a compromised legitimate website. [7]
Leafminer Leafminer has infected victims using watering holes. [13]
Patchwork Patchwork has used watering holes to deliver files with exploits to initial victims. [14] [15]
PLATINUM PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins. [19]
POORAIM POORAIM has been delivered through compromised sites acting as watering holes. [6]
Threat Group-3390 Threat Group-3390 has extensively used strategic web compromises to target victims. [20] [21]

Mitigations

Mitigation Description
Application Isolation and Sandboxing Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems. [2] [3]

Exploit Protection Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility. [4] [5]
Restrict Web-Based Content For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.

Update Software Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.

Detection

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.

Network intrusion detection systems, sometimes with SSL/TLS MITM inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.

Detecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.

References