Oil and Energy Companies Targeted with Watering Hole Assaults, finds Cisco
Security investigators at Cisco the security company recently spotted one watering-hole attack that had been targeting different organizations in the oil and energy industry. They (investigators) found a number of compromised websites, some of which diverted visitors whilst the remaining hosted and delivered malware.
Companies, which were affected, included one exploration firm for natural gas and oil doing business at different African countries, particularly Morocco, and Brazil; one UK-based gas power plant; one hydroelectric plant serving Czechoslovakia and Bulgaria; as well as a gas supplier in France.
Other targets were certain distributor facilitating aerospace, energy and nuclear industries, along with capital and investment firms, which dealt within the energy industry.
A detailed study of the hijacked websites showed that malicious iFrames were inserted into them. While a common server was used for 6 websites among the total, yet 3 of those had the same company owning them.
According to Emmanuel Tacheau, Researcher at Cisco, people stumbled upon the iFrame-inserted sites when they either directly accessed the hijacked websites alternatively got apparently lawful as also harmless search results that they tried. Tripwire.com published this dated September 19, 2013.
Tacheau further analyzes that the development matches any watering-hole natured assault in which websites are purposefully hijacked for trapping desired targets as opposed to spear phishing alternatively yet more methods for luring desired targets via illegitimate ways.
Cisco notes that the iFrame-inserted hijacked websites, which served malware and/or attack codes, are: nahoonservices[.]com, kenzhebek[.]com and keeleux[.]com.
In particular, the attack codes abused a Java security flaw namely CVE-2012-1723 else an IE 8 vulnerability called CVE-2013-1347. Another attack code abused a Firefox vulnerability called CVE-2013-1690.
Alongside these, according to Cisco, the malware served happens to be a Trojan, which seized keyboard and clipboard data as also system configurations. Further it performed an encrypted linkage with one Greece-situated command-and-control (C&C) web-server. The security company notes that every contaminated website had been notified so the majority could be sanitized.
In conclusion Tacheau says end-users can remain safeguarded from the current assaults, if they maintain their computers as well as browsers wholly upgraded with security patches, and thereby limit exploit-prone vulnerabilities.
» SPAMfighter News - 28-09-2013