T1456 Drive-By Compromise
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an Application Access Token.
Multiple ways of delivering exploit code to a browser exist, including:
- A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
- Malicious ads are paid for and served through legitimate ad providers.
- Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.1
Typical drive-by compromise process:
- A user visits a website that is used to host the adversary controlled content.
- Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
- The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
- Upon finding a vulnerable version, exploit code is delivered to the browser.
- If exploitation is successful, then it will give the adversary code execution on the user’s system unless other protections are in place.
- In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
| Item | Value |
|---|---|
| ID | T1456 |
| Sub-techniques | |
| Tactics | TA0027 |
| Platforms | Android, iOS |
| Version | 2.1 |
| Created | 25 October 2017 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0463 | INSOMNIA | INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.3 |
| S0289 | Pegasus for iOS | Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.2 |
| S0328 | Stealth Mango | Stealth Mango is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.1 |
| S0311 | YiSpecter | YiSpecter is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1001 | Security Updates | Security updates frequently contain patches for known exploits. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0013 | Sensor Health | Host Status |
References
-
Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018. ↩↩
-
Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016. ↩
-
A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020. ↩
-
Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023. ↩