Ten compromised websites have been abused in the operation
Security researchers from Cisco have identified a watering hole campaign targeting various energy and oil sector companies. Experts have spotted several compromised domains that serve a purpose in the attacks. Some are designed to redirect visitors, while others act as a malware host.The impacted organizations are an oil and gas exploration firm that does business in Brazil, Morocco, and other African countries; a natural gas power station in the UK; a hydroelectric plants company with facilities in Bulgaria and the Czech Republic; and a France-based gas distributor.
A supplier to nuclear, energy and aerospace industries, and investment and capital companies that specialize in the energy sector are also among the targets.
An analysis of the compromised domains has revealed that the attackers have injected malicious iframes into ten websites. Six of them are hosted on the same server. Additionally, three of the six websites are owned by the same organization.
“This is likely indication the sites were compromised via stolen login credentials, possibly a result of infection with the design firm or their hosting provider,” Cisco’s Emmanuel Tacheau noted in a blog post.
The iframes have been injected in multiple pages on each hacked website. Experts found that most of the visitors of these sites came from the banking and finance sector, followed by energy, oil and gas sector.
The iframes are designed to load exploit code and malware hosted on one of three compromised domains set up especially for this purpose.
The malware is pushed via vulnerabilities in Oracle Java SE 7 update 4, Microsoft Internet Explorer 8, and Firefox and Thunderbird.
Cisco is still analyzing the malware, but experts say the cybercriminals have made a number of changes to the iframes, the exploit code and the malware binary during the attack.