T0817 Drive-by Compromise
Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user’s web browser is targeted and exploited simply by visiting the compromised website.
The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.
The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. 1 Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.
| Item | Value |
|---|---|
| ID | T0817 |
| Sub-techniques | |
| Tactics | TA0108 |
| Platforms | None |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1000 | ALLANITE | ALLANITE leverages watering hole attacks to gain access into electric utilities. 4 |
| S0606 | Bad Rabbit | Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. 2 |
| G0035 | Dragonfly | Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany. 5 |
| G0049 | OilRig | OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. 4 |
| G0088 | TEMP.Veles | TEMP.Veles utilizes watering hole websites to target industrial employees. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0948 | Application Isolation and Sandboxing | Built-in browser sandboxes and application isolation may be used to contain web-based malware. |
| M0950 | Exploit Protection | Utilize exploit protection to prevent activities which may be exploited through malicious web sites. |
| M0921 | Restrict Web-Based Content | Restrict browsers to limit the capabilities of malicious ads and Javascript. |
| M0951 | Update Software | Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0022 | File | File Creation |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0009 | Process | Process Creation |
References
-
Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ↩
-
Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ↩
-
Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ↩
-
Eduard Kovacs 2018, May 10 ‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ↩↩
-
Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ↩