Industrial software website used in watering hole attack

wateringhole
Credit: shutterstock

Criminals are pushing a reconnaissance toolkit instead of malware

AlienVault Labs has discovered a watering hole attack that's using a framework developed for reconnaissance as the primary infection vector.

The criminals responsible for the incident compromised an unnamed industrial software firm's website, suggesting the potential for future attacks against several industries.

The unnamed victim produces software used for simulation and system engineering for a wide range of industries, AlienVault said, including automotive, aerospace, and manufacturing.

The attack starts on the compromised firm's website, where a malicious JavaScript file is loaded from a remote server. Unlike most watering hole incidents, where the visitor is infected with malware, this attack delivers a framework called Scanbox.

Scanbox collects data from the victim and delivers it to the command and control server.

Using plug-ins, the framework has the ability to detect dozens of third-party software installations, including browsers, instant messengers, remote access software, business software, and security software. Finally, keylogging is used to capture data periodically, as well as when information is submitted by the victim to the compromised website.

This isn't the first time such techniques have been seen in the wild. AlienVault noticed this type of reconnaissance in July after observing a number of attackers.

"This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them," commented AienVault's Jaime Blasco.

"We have also seen several Metasploit-produced exploits that target different versions of Java in the same IP address that hosts the Scanbox framework."

For now, AlienVault suggests that administrators watch for traffic from mail.webmailgoogle.com and js.webmailgoogle.com, as those are indicators of this attack in action.

The IP address that is hosting the command and control server is 122.10.9.109; it's assigned to a data center in Hong Kong.

This story, "Industrial software website used in watering hole attack" was originally published by CSO .

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies