Beginning in early May, Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host.
Observed watering-hole style domains containing the malicious iframe have included:
- An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
- A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;
- A natural gas power station in the UK;
- A gas distributor located in France;
- An industrial supplier to the energy, nuclear and aerospace industries;
- Various investment and capital firms that specialize in the energy sector.
Encounters with the iframe-injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches. This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets, versus spear phishing or other means to entice the intended targets through illicit means.
Read More »
“Watering Hole” attacks, as evidenced by the recent attack involving the U.S. Department of Labor, are becoming increasingly popular as alternatives to attacks such as Spear Phishing. In a “Watering Hole” attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the “trusted” site (A.K.A. the “Watering Hole”) and becomes compromised.
Cisco identified suspicious GET requests made to the www.sellagreement.com, a malicious site which was recently linked with the Department of Labor attack. According to the evidence we have, the sites www.kforce.com and www.sbc.net were among those compromised during this attack. The webpages that were serving malicious content from these sites were mostly job-search related, but several requests to www.sellagreement.com lacked a “Referrer:” HTTP header entirely. Read More »