Menu
Reconnaissance code on industrial software site points to watering hole attack

Reconnaissance code on industrial software site points to watering hole attack

Attackers are using a sophisticated Web-based tool to gather information on potential targets, researchers from AlienVault said

Attackers have rigged the website of an industrial software firm with a sophisticated reconnaissance tool, possibly in preparation for attacks against companies from several industries.

The incident was detected last week by researchers from security firm AlienVault who found rogue code injected into the website of a big industrial company that wasn't named. "The website is related to software used for simulation and system engineering in a wide range of industries, including automotive, aerospace, and manufacturing," said Jaime Blasco, director of the AlienVault Labs in a blog post.

Unlike most watering hole attacks where hackers inject malware-carrying exploits into websites visited by their intended targets, the purpose of this attack was only to gain detailed information about visiting computers.

The rogue code injected into the compromised site loaded a JavaScript file from a remote server that was actually a reconnaissance framework dubbed Scanbox, Blasco said. In addition to collecting basic information like the browser type, computer IP (Internet Protocol) address, operating system and language, this tool uses advanced techniques to detect which security programs are installed on the visitor's system, he said.

According to the AlienVault analysis, Scanbox also tests if the computer uses Microsoft's Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool and enumerates the locally installed versions of Adobe Flash, Microsoft Office, Acrobat Reader and Java -- programs that are frequently targeted with Web-based exploits to install malware.

Some of the techniques used by Scanbox have been observed by the AlienVault researchers in other watering hole campaigns this year.

In this recent attack, the framework also deployed a JavaScript-based keylogger on the compromised site that recorded all keystrokes typed visitors, including passwords and other sensitive data entered into Web forms, Blasco said. "This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them."

Attacks might already be happening, as the AlienVault researchers found evidence that the server hosting the Scanbox framework was also used to serve Java exploits. Their blog post contains domain names and IP addresses that companies should search for in their traffic logs to determine if they've been targeted.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags AlienVaultsecurityDesktop securityspywaremalware

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments