Watering Hole Attack Targets Shipping And Logistics Firms

ClearSky researchers have identified eight “watering hole sites” infected with a common JavaScript method. All eight sites are Israeli shipping and logistics sites and are believed to be the work of Iranian actors raising concerns about companies operating in this sector.

“In watering hole attacks, the attacker compromises a website that is frequently visited by a specific group of people, such as government officials, journalists, or corporate executives,” reads the company Advisory. “Once compromised, the attacker can inject malicious code to the website, which will be executed when users visit it. Currently, the campaign focuses on shipping and logistics companies, aligning with Iran’s focus on the sector for the past three years.”

The watering hole tactics shared the following characteristics:

  • C2 Attribution -The domain jquery-stack[.]online is attributed to TA456 (Tortoiseshell).
  • Known iranian TTP – Watering hole attacks have been part of the initial access stage used by Iranian threat actors since 2017. 1 This initial access technique was also mentioned by Mandiant 2 in August 2022, where an Iranian threat actor named UNC3890 was targeting shipping companies in Israel using the samewatering hole attack. In the current attack, visiting user data is collected and sent to the attacker’s C2 server.
  • Usage of “jQuery” – Our team observed four domains impersonating jQuery, a legitimate JavaScript framework, by using “jQuery” in their domain names. This is done to deceive anyone who checks the website code. 
  • – Usage of open source tools – Use of open-source penetration test tools that focus on web browsers. The attacker used code taken partly from Metasploit framework 3, with a few added unique strings. According to one of the victims, the JavaScript found in this research is unknown to them, indicating that the script is malicious.

I have two perspectives on this. The first is from Mark Bermingham, VP, Cyware:

“Watering Hole Attacks, especially those with some track record, can often be avoided thru a combination of threat intel, to identify the threat, and orchestration, to automate action to prevent the site from being reached.”

Dave Ratner, CEO, HYAS adds this comment:

   “Having visibility into adversary infrastructure and command-and-control  (C2) structures is critical for a modern cyber security stack, but as ClearSky points out, C2 infrastructure may not always be created by the adversary. This is why more than pure allow-and-deny lists and feeds are required. It’s important to understand in real-time what is and isn’t being utilized by malicious actors, and how that changes.”

Clearly the bad guys are getting very sophisticated. That means that those who defend against these sorts of attacks need to up their game as it were. That’s the only way to keep the bad guys out, and bad press from hitting the headlines.

Leave a Reply

%d bloggers like this: