Strategic web compromises in the Middle East with a
pinch of Candiru
ESET
researchers have discovered strategic web compromise (aka watering hole)
attacks against high-profile websites in the Middle East
By Matthieu
Faou
Back in
2018, ESET researchers developed a custom in-house system to uncover watering
hole attacks (aka strategic web compromises) on high-profile websites. On July
11th, 2020 it notified us that the website of the
Iranian embassy in Abu Dhabi had been modified and had started injecting
JavaScript code from https://piwiks[.]com/reconnect.js.
Our curiosity was aroused by
the nature of the targeted website and in the following weeks we noticed that
other websites with connections to the Middle East started to be targeted. We
traced the start of the campaign back to March 2020, when the piwiks[.]com domain was
re-registered. We believe that the strategic web compromises only started in
April 2020 when the website of the Middle East Eye (middleeasteye.net),
a London-based digital news site covering the region, started to inject
code from the piwiks[.]com domain.
At the end of July or the
beginning of August 2020, all remaining compromised websites were cleaned; it
is probable that the attackers themselves removed the malicious scripts from
the compromised websites. The threat group went quiet until January 2021, when
we observed a new wave of compromises. This second wave lasted until August
2021, when all websites were cleaned again. A few indicators from this second
wave were shared on Twitter by a
fellow researcher, which allows us to make a link with what Kaspersky tracks as
Karkadann.
We detail the inner working
of the compromises in the Technical
analysis section, below, but it is worth noting that the final
targets are specific visitors of those websites, who are likely to receive a
browser exploit. The compromised websites are only used as a hop to reach the
final targets.
We also uncovered
interesting links with Candiru, detailed in the section Links between the watering holes, spearphishing documents and
Candiru. Candiru is a private Israeli spyware firm that was
recently added to the
Entity List (entities subject to licensing restrictions) of the US Department
of Commerce. This may prevent any US‑based organization from doing business
with Candiru without first obtaining a license from the Department of Commerce.
Read
complete article on https://welivesecurity.com