A new APT-style espionage campaign launched this summer targeting organizations tied to financial services, government agencies and the defense industry used a technique dubbed water holing to entice victims and silently redirect them to sites hosting zero-day exploits.
Researchers at RSA Security said this technique is not new (it was previously observed in the Aurora and Ghostnet attacks), but the month-long campaign held in June and July was the first time water holing was observed at any large scale. Water holing, as described by RSA’s Will Gragido, is an attack on legitimate, geographically or topically connected websites that an attacker believes members of a target organization will visit.
The latest attack, called VOHO by RSA’s FirstWatch research team, compromised a local government site in Maryland and a regional bank in Massachusetts as well as sites having ties to the promotion of democracy in oppressed regions. RSA described the victims as “entities and people that seek to promote democratic government in countries whose existing political structure and power doesn’t support (and indeed persecutes) such governmental change.”
Vulnerabilities on those websites were exploited and a new variant of the Gh0st RAT malware was dropped. A host of other sites related to the defense industrial base, education, political activism in the Washington, D.C., and Boston areas were also targeted.
Earlier this month, Symantec’s Elderwood Project report also connected the water holing technique to the Aurora hackers. Symantec, however, did not identify the compromised sites, nor the connection between the targets.
“We believe these websites were likely chosen with exact precision and great consideration; selected from thousands upon thousands of websites due to familiarity and proximity to the targets of interest that the threat actors responsible for the campaign were truly interested in compromising,” the RSA report said.
Visitors to any of those sites were silently redirected to a curling site; RSA redacted the name of the site from its report, but KrebsonSecurity.com reports the site to be torontocurling.com. That site then attempted to exploit a vulnerability in Microsoft XML Core Services or a Java flaw that was zero-day at the time. Once infected, Gh0st RAT would call out to command and control servers at one of two IP addresses: 220.127.116.11 or 18.104.22.168, RSA said. Gh0st RAT has been used in other nation-state attacks, and like other typical botnet malware can log keystrokes, remotely operate embedded webcams or microphones, search local files, run arbitrary code, and download and exfiltrate files.
RSA said the VOHO campaign was carried out in separate phases starting June 25. HTTP logs obtained by FirstWatch observed referral traffic to torontocurling.com, and exploits beginning July 9 against a vulnerability in Internet Explorer. These attacks continued for two days. Phase two began July 16 with exploits of a Java zero-day vulnerability, and ended July 18 when RSA said a server admin at the curling site took the server down for remediation.
Once a victim landed on one of the watering hole sites and was redirected, a chain of events kicked off in the background where the exploit determines if the visitor is running Windows and Internet Explorer and eventually compromises the browser and drops the Gh0st RAT malware via either a .CAB or .JAR file; RSA said this code was previously used in the 2009 Aurora attacks against Google Gmail accounts.
More than 32,000 visitors from 731 unique global organizations were redirected to the exploit site; almost 4,000 hosts downloaded exploit files for a 12 percent success rate; RSA said this indicates “a very successful campaign.” The Massachusetts regional bank was the top redirector by far, RSA said, and hosts from corporate networks and consumers suffered the largest number of compromises. Victims from financial services, state and federal government, utilities, defense industrial base and education domains represented a fraction of the compromises.
“As the political and governmental hub of the United States of America, wholesale compromise of computers in this area would provide a wealth of intelligence for adversaries interested in political process and government action,” RSA said in its report, adding that it is aware of at least 50 unique Gh0st networks. Gh0st source code is freely available online and attackers are able to constantly add new capabilities to the original code base.
“From an operational sense, having easy opportunity to modify source code allows a much more robust compromise, with decreased likelihood of attacker detection,” the report said.