Drive-By Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an Application Access Token.

Multiple ways of delivering exploit code to a browser exist, including:

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
  • Malicious ads are paid for and served through legitimate ad providers.
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[1]

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
ID: T1456
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: CEL-22
Version: 2.2
Created: 25 October 2017
Last Modified: 07 August 2023

Procedure Examples

ID Name Description
C0033 C0033

During C0033, PROMETHIUM distributed StrongPity through the compromised official Syrian E-Gov website.[2]

S0463 INSOMNIA

INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.[3]

S0289 Pegasus for iOS

Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.[4]

S0328 Stealth Mango

Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.[1]

S0311 YiSpecter

YiSpecter is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.[5]

Mitigations

ID Mitigation Description
M1001 Security Updates

Security updates frequently contain patches for known exploits.

Detection

ID Data Source Data Component Detects
DS0013 Sensor Health Host Status

Mobile security products can often alert the user if their device is vulnerable to known exploits.

References