Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for
exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
攻撃者は、ユーザが通常のブラウジングでWebサイトを訪問することで、システムへのアクセスを獲得することがあります。このテクニックでは、通常、ユーザーのウェブブラウザが攻撃目標とされますが、攻撃者は、アプリケーションアクセストークンの取得など、悪用されない動作のために侵害されたウェブサイトを使用することもあります。
Multiple ways of delivering exploit code to a browser exist, including:
ブラウザにエクスプロイトコードを配信する方法は、以下のように複数存在します。
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific
user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known
examples of this occurring.[1]
多くの場合、攻撃者の使用するウェブサイトは、政府、特定の業界、地域など、特定のコミュニティが訪れるもので、共通の関心に基づいて特定のユーザーまたはユーザーグループを攻撃することが目的となっています。このような標的型攻撃は、しばしば戦略的Web侵害や水飲み場攻撃と呼ばれます。このようなことが起こる例として、いくつかの事例が知られています。
Typical drive-by compromise process:
Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This
will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
公開アプリケーションの悪用とは異なり、このテクニックの焦点は、ウェブサイトを訪問したクライアントのエンドポイントにあるソフトウェアを悪用することです。これにより、攻撃者は、DMZにある外部システムではなく、内部ネットワーク上のシステムにアクセスすることができます。
Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth
tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.[2]
攻撃者は、侵害されたWebサイトを利用して、ユーザーを悪意のあるアプリケーションに誘導し、OAuthトークンのようなアプリケーションアクセストークンを盗んで、保護されたアプリケーションや 情報へのアクセスを得ようとすることもあります。これらの悪意のあるアプリケーションは、正規のWebサイト上のポップアップを通じて配信されています。([2]に画面あり)
ID | Name | Description |
---|---|---|
G0138 | Andariel |
Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.[3][4] |
G0073 | APT19 |
APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.[5] |
G0007 | APT28 |
APT28 has compromised targets via strategic web compromise utilizing custom exploit kits.[6] |
G0050 | APT32 |
APT32 has infected victims by tricking them into visiting compromised watering hole websites.[7][8] |
G0067 | APT37 |
APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[9][10][11] APT37は、特に韓国のWebサイトを戦略的に侵害し、マルウェアを配布しています。また、Torrentファイル共有サイトを利用して、より無差別にマルウェアをばら撒いています。このグループは、「RICECURRY」と呼ばれるJavascriptベースのプロファイラソフトを使用して、被害者のWebブラウザのプロファイリングを行い、それに応じて不正なコードを配信しています。 |
G0082 | APT38 |
APT38 has conducted watering holes schemes to gain initial access to victims.[12][13] |
G0001 | Axiom | |
S0606 | Bad Rabbit |
Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a |
G0060 | BRONZE BUTLER |
BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.[17] |
S0482 | Bundlore |
Bundlore has been spread through malicious advertisements on websites.[18] |
C0010 | C0010 |
During C0010, UNC3890 actors likely established a watering hole that was hosted on a login page of a legitimate Israeli shipping company that was active until at least November 2021.[19] |
G0070 | Dark Caracal |
Dark Caracal leveraged a watering hole to serve up malicious code.[20] |
G0012 | Darkhotel |
Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.[21] |
G0035 | Dragonfly |
Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.[22][23][24] |
G1006 | Earth Lusca |
Earth Lusca has performed watering hole attacks.[25] |
G0066 | Elderwood |
Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[26][27][28] |
S0531 | Grandoreiro |
Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.[29][30] |
S0215 | KARAE |
KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure.[10] |
G0032 | Lazarus Group |
Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website.[31][32] |
G0077 | Leafminer | |
G0065 | Leviathan | |
S0451 | LoudMiner |
LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[35] |
G0095 | Machete |
Machete has distributed Machete through a fake blog website.[36] |
G0059 | Magic Hound |
Magic Hound has conducted watering-hole attacks through media and magazine websites.[37] |
C0016 | Operation Dust Storm |
During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322.[38] |
G0040 | Patchwork |
Patchwork has used watering holes to deliver files with exploits to initial victims.[39][40] |
G0068 | PLATINUM |
PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.[41] |
S0216 | POORAIM |
POORAIM has been delivered through compromised sites acting as watering holes.[10] |
G0056 | PROMETHIUM |
PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.[42] |
S0496 | REvil |
REvil has infected victim machines through compromised websites and exploit kits.[43][44][45][46] |
G0048 | RTM |
RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network
|
G0027 | Threat Group-3390 |
Threat Group-3390 has extensively used strategic web compromises to target victims.[49][50] |
G0134 | Transparent Tribe |
Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[51][52][53] |
G0010 | Turla | |
G0124 | Windigo |
Windigo has distributed Windows malware via drive-by downloads.[56] |
G0112 | Windshift |
Windshift has used compromised websites to register custom URL schemes on a remote system.[57] |
ID | Mitigation | Description |
---|---|---|
M1048 |
Application Isolation and Sandboxing アプリケーションの分離とサンドボックス化 |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.[58][59]
Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in
implementation may still exist for these types of systems.[59] |
M1050 |
Exploit Protection エクスプロイト保護 |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can
be used to mitigate some exploitation behavior. [60] Control flow integrity checking is another way to potentially identify and stop a software exploit from
occurring. [61] Many of these protections depend on
the architecture and target application binary for compatibility. |
M1021 | Restrict Web-Based Content |
For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process. |
M1051 | Update Software |
Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources
such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. |
DS0022 | File | File Creation |
Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing. |
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data. |
Network Traffic Content |
Monitor for other unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS
inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit
code. |
||
DS0009 | Process | Process Creation |
Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files
written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery. |