14 DAY TRIAL // A watering-hole attack has been discovered to be orchestrated by a cyber-espionage group that targets individuals connected to the military sector; victims are redirected from the website of a major banking institution to defense-related domain names hosting an exploit kit.
The group, dubbed Sednit by the security researchers at ESET, is known for having conducted email-based targeted attacks in the past, using the spear-phishing technique. The emails sent to the victims had an attachment with a malicious Microsoft Word document and exploited a zero-day vulnerability in the software to deliver a piece of malware.
Sednit ditches targeted attacks
Recent observations from the security researchers showed that the group added an iframe into the websites of a large financial institution in Poland, which was used to load the exploit kit.
Another iframe is also present, whose functionality seems to be only to gather statistics about the number of redirections performed.
In a blog post describing the new method used by the Sednit group, ESET researchers explain that the iframe loads the exploit from “a legitimate website that describes itself as ‘an authoritative news source for high quality and exclusive commentary and analysis on global defense and military-related topics;’” the website is defenceiq.us.
By performing a redirect from the bank’s website to a domain linked to the military defense industry, the threat actors switched from a targeted attack to a watering-hole one that aims at a larger number of victims, ESET says.
However, they believe that this is "probably due to the mixing of two ongoing campaigns."
Sedkit is the name, Internet Explorer is the game
The exploit kit has been named Sedkit, after the name of the group, and it’s not too different from other, more frequently used ones, like Angler or Nuclear.
If the versions of the plug-ins installed in the web browser are vulnerable, the kit redirects to a URL containing an exploit.
Researchers found that three exploits are used, all targeting Internet Explorer (version 8 and 11).
According to the security experts, one of the exploits, CVE-2014-1776 - a use-after-free vulnerability affecting IE 6 through 11 in IE 11, has not been seen in any other popular kits, while the other two enjoy limited adoption.
An analysis of Sedkit leads to the conclusion that the exploit kit is still under development and is currently used only for testing.
“Unlike most contemporary exploit kits, it does not use JavaScript obfuscation. We even found comments in the JavaScript code related to the exploits’ ROP chains. This leads us to believe that the kit is still in its testing phase,” say the researchers.
Watering-hole attacks have become the preferred method for cyber-espionage activities, mainly because the threat actors can compromise the computers of multiple individuals related to a particular industry and extract information from all of them.