UPDATE – Another high profile watering hole attack has been discovered, this one targeting visitors to the Council on Foreign Relations website.
The CFR is a Washington, D.C.-based think tank that provides foreign policy and foreign affairs resources to government officials, journalists, and business and education leaders. Its list of directors and members includes public figures such as former secretaries of state Madeleine K. Albright and Colin L. Powell, former treasury secretary Robert Rubin, former ambassador Carla A. Hills, former NBC anchor Tom Brokaw and many other influential industry leaders.
Watering hole attacks target topically connected websites that an attacker believes members of a particular organization will visit often. An attacker will infect the website with malware which stings visitors in drive-by attacks. The site visitors are the ultimate targets; attackers are generally state-sponsored and hope to spy on their victims’ activities and siphon off business or military intelligence, experts say.
Watering hole attacks were used in the 2009 Aurora attacks on Google, Adobe and numerous other large technology and manufacturing companies. The tactic was also used in the Gh0stNet attacks, a widespread espionage campaign beginning in 2009 against numerous government agencies and embassies worldwide.
Security company FireEye reported Friday night that the CFR website had been compromised as early as Dec. 21 and was still hosting malware last Wednesday, the day after Christmas. Researchers there said the attackers were exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser.
“We can confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability,” wrote FireEye’s Darien Kindlund on the company’s blog. “We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.”
Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing said in an email to Threatpost the zero day is in IE 6-8 and that the impact is limited.
“We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted,” said Childs.
A further look into the exploit reveals that JavaScript hosting the exploit only triggers against browsers set to English, Chinese (China and Taiwan), Japanese, Korean and Russian. The exploit also uses cookies to deliver the attack once per user; it also tracks when the infected page was last visited via cookies, Kindlund said.
“Once those initial checks passed, the JavaScript proceeded to load a Flash file today.swf which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint,” Kindlund said.
Once the attacker owns the browser, the exploit downloads a dropper called xsainfo.jpg.
One of the largest waterholing attacks was carried out over the course of a month starting in June, according to RSA’s FirstWatch research team. The VOHO attack targeted government websites in Maryland, a regional bank in Massachusetts and several websites promoting democracy in oppressed regions of the world.
The Gh0St RAT malware was used in those attacks, which also included the defense industrial base, education and political activism sites in D.C. and Boston. Gh0StNet is a remote access Trojan, and once it infects a victim, it carries out surveillance activities such as logging keystrokes, opening embedded webcams or microphones, run code remotely and exfiltrate files. Gh0StRAT also connects and sends data to command and control servers. It has been tied to numerous state-sponsored attacks.
This article was updated Dec. 29 at 1:30 p.m. ET to add comments from Microsoft.