The advantage of water hole attacks is that the target does not need to be socially engineered into visiting a malicious or compromised site. It is, quite simply, less labor-intensive. All it requires is for a website of interest to the target group to be compromised – and the attackers can just wait for the target to come calling in the normal course of things.
Context Information Security is now warning that it has seen an uptick in this approach: "watering hole cyber attacks are increasingly being used by state sponsored hackers to compromise large target groups within the same industries," it said in a statement this morning.
In particular, it notes a water hole attack on the IHS.com website. Information Handling Services (IHS) is the parent group to Jane's Information Group, a major source of military and intelligence analysis; Global Insights, which undertakes financial, economic and political analysis of countries, regions and industries; and Cambridge Energy Research Associates, which advises companies and governments on energy supply, geopolitics and strategy. "In this case," explained Mark Raeburn, CEO at Context, "the predatory tiger was a state sponsored attacker and the prey was the target companies visiting the site."
Context had noticed traffic from the PlugX RAT, which is, said Raeburn, "suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups.” Because of this he believes the attackers were a group known as 'FlowerLady' or 'FlowerShow', which unlike the Comment Crew (or APT1) is thought to be Chinese state-sponsored rather than state-controlled.
Further analysis showed that the victim had been compromised on 14 March after visiting the IHS website.
When users visited the compromised IHS.com web site, explains Context, a Java archive signed by a fake certificate using the legitimate IHS.com name was downloaded onto the victim’s machine. This redirected the user to a malicious domain that downloaded and executed the .exe PlugX file and within ten seconds, the RAT started receiving commands and sending data to a third, attacker controlled, domain.
Although the IHS.com site has now been cleaned, it is not known how many visitors may have been compromised with PlugX. The problem is that while users can be trained to detect spear-phishing, there is no way for the user to recognize a compromised legitimate and popular website.
Nevertheless, "companies need to be more aware of the threat from alternative vectors such as watering hole attacks and take measures to identify malicious activity and mitigate the risks, regardless of the source,” warns Raeburn. “Better awareness and activity monitoring, including information from across the network and down to the level of individual PCs, is vital and should be combined with a robust program of proactive security improvement.”