Websites of governments, regulatory bodies and financial authorities are preferred targets for "watering hole" attacks on finance, investment and compliance professionals. These online resources make it easy for attackers to target their victims. How do such attacks work?
So-called watering hole (a.k.a. "water holing") attacks are probably the most economical of online exploits. Instead of identifying and tracking down individual targets one-by-one, the threat actors first research and identify a vulnerable website frequently sought out by key professionals in the targeted industry or organization.
In the second step, they install an exploit kit that may allow the attackers to target that site’s users even more selectively, for instance based on their IP number. Like lions hidden in the savannah grass, they then lay and lurk.
Once their prey shows up at the "water hole", the victim’s locally installed browser takes care of the rest. Because the browser is designed to indiscriminately fetch and execute code from the web on the local machine, it will silently download the malware from the infected site.
This then allows the attackers to steal the visitor’s corporate network credentials and stage a lateral attack within the victim's organization, for instance by following up with a pinpointed phishing emails to employees reporting to the victim.
The "watering hole" approach is a favorite of Russia-based and North Korean threat groups that have been focusing on targeting financial institutions for profit on a global scale. FireEye security researchers believe that one state-sponsored group from North Korea alone, known as APT38, carried out attacks against Vietnam TP Bank (December 2015), Bangladesh Bank (February 2016), Far Eastern International Bank in Taiwan (October 2017), Bancomext (January 2018), and Banco de Chile (May 2018).
Among the preferred targets for the watering hole attacks: BSA/AML (Bank Secrecy Act / Anti-Money-Laundering) analysts and compliance officers at banks, investment and wealth management companies, and other financial services firms. Why the focus on compliance professionals?
The reason is simple. Many AML and compliance teams still lack adequate protection against web-borne exploits when they go online. They conduct web research as part of their routine - during background checks, in-depth investigations, or to read regulatory updates.
This can lead to dangerous exposure of their organization’s IT infrastructure. When compliance specialists use a local browser, adversaries can easily identify the originating organization, and launch pinpointed malware and spyware attacks against the firm.
This is precisely what happened to financial institutions in more than 30 countries. They were targeted by attackers who compromised websites known to be frequented by banking compliance managers [PDF]. Through their browsers, the computers of those website visitors were infected with previously unknown malware.
A bank in Poland discovered it on its network and informed other institutions, who also confirmed infiltration by the same malware strain. Investigators later identified the "water hole" for this particular malware campaign, which took place over several months in 2016/2017, as the website of the Polish Financial Supervision Authority KNF, Poland’s financial regulator.
Users of the KNF website, including many AML and anti-fraud specialists from other EU countries and the U.S. obtaining regulatory updates, had been redirected to an exploit kit that was programmed to install malware on selected targets in the financial sector.
Another, more recent example of a successful watering hole attack is believed to be the work of the APT32 threat group, a.k.a. OceanLotus. This group specifically targets government and private sector systems in East Asia. One of its targets was ASEAN, the Association of Southeast Asian Nations, which coordinates economic, trade, and geopolitical activities of its member states in Asia.
OceanLotus targeted ASEAN employees and visitors by compromising the organization’s main asean.org domain and its subdomains. The affected subdomains where atr.asean.org (ASEAN trade repository) and investasean.asean.org (ASEAN Investment portal).
How do threat actors identify key subdomains to attack? They may have conducted a simple Shodan.io search for "asean.org". To this day, it reveals numerous subdomains that can potentially be compromised.
Shodan search query for ASEAN backend
This kind of compromise poses a particular risk to organizations that use URL filtering as a method of verifying whether or not a web resource is malicious or not, because the web filter will not catch on to it if the security vendor doesn’t include a website integrity check.
Visitors of either the ASEAN subdomains or main domain where all considered valuable targets (even though OceanLotus did incorporate a whitelist). One notable library OceanLotus used is fingerprintjs2, a library dedicated to creating unique hashes based on the visitor’s browser components. (You can see it put to benign use at sploit.io, a tool I’ve developed for spotting browser flaws and vulnerabilities.)
User-agent strings, screen resolutions, WebRTC IP addresses, language preference, cookie availability, operating system, processor architecture type: these were all vital pieces of information that OceanLotus collected to uniquely identify each visitor, behind the scenes, without visitors suspecting a thing.
With that much user data collected, the stage was set for visitor exploitation. OceanLotus used obscure Google sign-in popups layered on top of the original site’s content. The popup then forced the user to sign into Google, as the content the visitor was trying to access was supposedly "locked" until they signed in. This tricked visitor into giving up their Google credentials, providing OceanLotus OAuth access to read, write, send, delete emails.
Other than with fake "sign-in" pages, what was presented here is a legitimate Google sign-in page. The OceanLotus trick: it used a malicious application that had been registered with Google. The goal: to gain backdoor access to a visitor’s GMail account.
To move laterally even further in the chain of compromise, OceanLotus also distributes malware through email messages (possibly using previously obtained com accounts) and/or through compromised websites in the form of malicious software updates. ESET did analysis work on one of the malware droppers that belong to OceanLotus with the filename "RobototFontUpdate.exe" (Hash: fdcb35cd9cb8dc1474cbcdf1c9bb03200dcf3f18), which acts as an updater to the real Roboto font, in reality, drops and executes a malicious payload onto the victim’s machine.
As soon as the OceanLotus payload is executed, two things happen. First, it drops the original RobotoSlab.ttf (font file) into the %TEMP% directory, then executes shell code that executes the real dropper. Second, at the same time it writes the font file to %TEMP%, it executes an eraser program that erases the RobototFontUpdate.exe binary.
The real dropper then drops a file "SysLog.bin" (encrypted payload/backdoor using AES) and Rastlsc.exe (real legitimate Symantec Network Access Control application), another file rastls.dll (which is a malicious DLL created by OceanLotus) all in a folder typically located in %APPDATA%\Symantec\Symantec Endpoint Protection\12.1.671.4971.104a\DeviceAssociationService\.
The malware evasion technique used to bypass present AVs is presented when a legitimate copy of Symantec’s Network Access Control application looks for a resource called "rastls.dll" in the same directory. Rastls.exe uses whatever DLL is present with the same filename and never verifies if it’s the legitimate library or not. The dropper supplies Rastls.exe with a malicious copy, so when the .exe binary is executed, the process is considered non-malicious. Most AV software wouldn’t suspect a thing.
Once executed, the DLL file will then decrypt the SysLog.bin file which holds shellcode for the backdoor to the system, which allowed OceanLotus to have persistent access to the machine. All those steps equate to the final stage of full system compromise, allowing exfiltration of data, remote code execution, privilege escalation - all coordinated from OceanLotus’ C&C servers.
...at least you can prevent becoming easy prey. All successful water-hole style attacks have two particular elements in common. The first is the attacker’s ability to "profile" their victims in advance. They use data shared on public (corporate) websites or social media platforms, as well as information leaked by the victim’s local browser (examples: IP, location, corporate network).
The second element is the victim’s use of a local browser to access the compromised "watering hole" website. This allows the group to execute its pinpointed attack on the prey’s machine and IT network in the first place. Without a regular browser on the other end that dutifully executes the malicious code dropped in from the compromised web server, the watering hole attack will go nowhere.
The main takeaway here for frequent users of at-risk websites should be clear: Keep sharing information online - about your company, your professional role and activities - to the necessary minimum. Related bonus tip: LinkedIn has become a favorite hunting ground for attackers to research groups they’re targeting.
Last but not least, ask your firm to replace your regular browser, the tool that is broadcasting to attackers laying in wait at the web "watering hole" that you are what they’ve been waiting for. Use a secure cloud browser instead.
Silo, delivered and managed as service by Authentic8, is a cloud browser that provides complete anonymity to its users. Built fresh from a clean slate for each session, Silo doesn’t process any web content locally. Instead, only visual display information - a benign stream of pixels - reaches the endpoint, via a fast encrypted connection.
While all code from the web is isolated and rendered offsite, users get the same rich web experience they’ve come to expect from regular browsers. Watering hole attacks? With Silo, that’s just another scheme you don’t have to worry about anymore. Try it here.