Skip to content

T0817 Drive-by Compromise

Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user’s web browser is targeted and exploited simply by visiting the compromised website.

The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack.

The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. 1 Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.

Item Value
ID T0817
Sub-techniques
Tactics TA0108
Platforms None
Version 1.0
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
G1000 ALLANITE ALLANITE leverages watering hole attacks to gain access into electric utilities. 4
S0606 Bad Rabbit Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. 2
G0035 Dragonfly Dragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver Backdoor.Oldrea or Trojan.Karagany. 5
G0049 OilRig OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. 4
G0088 TEMP.Veles TEMP.Veles utilizes watering hole websites to target industrial employees. 3

Mitigations

ID Mitigation Description
M0948 Application Isolation and Sandboxing Built-in browser sandboxes and application isolation may be used to contain web-based malware.
M0950 Exploit Protection Utilize exploit protection to prevent activities which may be exploited through malicious web sites.
M0921 Restrict Web-Based Content Restrict browsers to limit the capabilities of malicious ads and Javascript.
M0951 Update Software Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation

References