Critical infrastructure companies are under attack as researchers at Cisco found compromised domains of 10 oil and energy companies worldwide, including hydroelectric plants, natural gas distributors, industrial suppliers to the energy sector and investment firms serving those markets.
Six of the 10 sites shared the same Web design firm and three of the six ended up owned by the same parent company. Cisco researcher Emmanuel Tacheau said in a blog it appears credentials at the Web design firm ended up stolen, leading to the compromises.
The 10 sites suffered exploitation and served iframe redirects to other sites hosting espionage malware, possibly the Poison Ivy remote access Trojan.
“The assumption is, with the target companies being in the energy sector, they were attempting to infect machines within that sector and exfiltrate intellectual property,” Tacheau said.
The iframes load exploit code and malware from three compromised domains: keeleux[.]com, kenzhebek[.], and nahoonservices[.]com.
The exploits target primarily a Java vulnerability, CVE-2012-1723, or a flaw in Internet Explorer 8, CVE-2013-1347. A Firefox exploit was also in these attacks, CVE-2013-1690.
Cisco said the malware used in the attacks is a Trojan that captures system configurations, as well as clipboard and keyboard data. It also establishes an encrypted connection to a command and control server hosted in Greece awaiting commands. All of the infected sites were aware of the issue and most cleaned up the problem, Cisco said.
“Detection for the malware was extremely low, so that’s always a concern,” Tacheau said. “Fortunately, exploit detection for the exploits used is pretty good, so hopefully people will have been protected.”
Watering hole attacks are effective because they target websites of interest to the intended victim.
Microsoft patched the IE vulnerability in May, but not before those attacks spread to nine other sites including the U.S. Agency for International Development (USAID) and research firms in Asia.
Given the timing of the two attacks and the use of the same Internet Explorer exploit, it is easy to tie the DoL attacks to the energy and oil attacks as well.
“That’s the million dollar question,” Tacheau said. “There certainly are a lot of commonalities. If you combine the timing, the shared exploit and the sector targeted, it does seem at least suspiciously in favor of a semblance of attackers.”
The oil and energy attacks, however, ended up discovered coincidentally by Cisco researchers looking at system logs and noticing the commonalities in the sectors targeted.
“It boils down to a matter of volume,” Tacheau said. “These were low volume-high stakes attacks; these sites don’t attract a large number of visitors. The DoL attacks were different. When you have a high profile site like that, those are always going to be spotted off the bat.”