T1189

Drive-by Compromiseドライブバイ攻撃

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.
攻撃者は、ユーザが通常のブラウジングでWebサイトを訪問することで、システムへのアクセスを獲得することがあります。このテクニックでは、通常、ユーザーのウェブブラウザが攻撃目標とされますが、攻撃者は、アプリケーションアクセストークンの取得など、悪用されない動作のために侵害されたウェブサイトを使用することもあります。

Multiple ways of delivering exploit code to a browser exist, including:
ブラウザにエクスプロイトコードを配信する方法は、以下のように複数存在します。

  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
  • Malicious ads are paid for and served through legitimate ad providers.
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

  • 正規のWebサイトに、攻撃者がJavaScript、iFrame、クロスサイトスクリプティングなど何らかの悪意のあるコードを注入し、侵害する
  • 悪意のある広告が、正当な広告プロバイダーを通じて支払われ、提供される
  • 組み込みのウェブアプリケーションインターフェースを利用して、ウェブコンテンツを表示したり、訪問中のクライアントで実行されるスクリプトを含む他のあらゆる種類のオブジェクトを挿入する(例:フォーラムの投稿、コメント、その他のユーザー制御可能なウェブコンテンツ)

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[1]

多くの場合、攻撃者の使用するウェブサイトは、政府、特定の業界、地域など、特定のコミュニティが訪れるもので、共通の関心に基づいて特定のユーザーまたはユーザーグループを攻撃することが目的となっています。このような標的型攻撃は、しばしば戦略的Web侵害や水飲み場攻撃と呼ばれます。このようなことが起こる例として、いくつかの事例が知られています。

Typical drive-by compromise process:

  1. A user visits a website that is used to host the adversary controlled content.
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
  1. ユーザーは、攻撃者の管理化におかれたウェブサイトを訪問します。
  2. スクリプトが自動的に実行され、通常、脆弱性の可能性があるブラウザやプラグインのバージョンが検索されます。
    • ユーザーは、スクリプトまたはアクティブなWebサイトのコンポーネントを有効にし、警告ダイアログボックスを無視することによって、このプロセスを手助けすることを求められる場合があります。
  3. 脆弱なバージョンを見つけると、エクスプロイトコードがブラウザに配信されます。
  4. 攻撃が成功した場合、他のセキュリティ対策が施されていない限り、攻撃者はユーザーのシステム上でコードを実行することができるようになります。
    • 場合によっては、最初のスキャンの後、エクスプロイトコードが配信される前にウェブサイトへの再アクセスが必要になることがあります。

Unlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
公開アプリケーションの悪用とは異なり、このテクニックの焦点は、ウェブサイトを訪問したクライアントのエンドポイントにあるソフトウェアを悪用することです。これにより、攻撃者は、DMZにある外部システムではなく、内部ネットワーク上のシステムにアクセスすることができます。

Adversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.[2]
攻撃者は、侵害されたWebサイトを利用して、ユーザーを悪意のあるアプリケーションに誘導し、OAuthトークンのようなアプリケーションアクセストークンを盗んで、保護されたアプリケーションや 情報へのアクセスを得ようとすることもあります。これらの悪意のあるアプリケーションは、正規のWebサイト上のポップアップを通じて配信されています。([2]に画面あり)

Tactic: Initial Access
翻訳原文:Last Modified: 08 March 2022

Procedure Examples

ID Name Description
G0138 Andariel

Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.[3][4]

G0073 APT19

APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.[5]

G0007 APT28

APT28 has compromised targets via strategic web compromise utilizing custom exploit kits.[6]

G0050 APT32

APT32 has infected victims by tricking them into visiting compromised watering hole websites.[7][8]

G0067 APT37

APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[9][10][11]

APT37は、特に韓国のWebサイトを戦略的に侵害し、マルウェアを配布しています。また、Torrentファイル共有サイトを利用して、より無差別にマルウェアをばら撒いています。このグループは、「RICECURRY」と呼ばれるJavascriptベースのプロファイラソフトを使用して、被害者のWebブラウザのプロファイリングを行い、それに応じて不正なコードを配信しています。

G0082 APT38

APT38 has conducted watering holes schemes to gain initial access to victims.[12][13]

G0001 Axiom

Axiom has used watering hole attacks to gain access.[14]

S0606 Bad Rabbit

Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.[15][16]

G0060 BRONZE BUTLER

BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.[17]

S0482 Bundlore

Bundlore has been spread through malicious advertisements on websites.[18]

C0010 C0010

During C0010, UNC3890 actors likely established a watering hole that was hosted on a login page of a legitimate Israeli shipping company that was active until at least November 2021.[19]

G0070 Dark Caracal

Dark Caracal leveraged a watering hole to serve up malicious code.[20]

G0012 Darkhotel

Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.[21]

G0035 Dragonfly

Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.[22][23][24]

G1006 Earth Lusca

Earth Lusca has performed watering hole attacks.[25]

G0066 Elderwood

Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[26][27][28]

S0531 Grandoreiro

Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.[29][30]

S0215 KARAE

KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure.[10]

G0032 Lazarus Group

Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website.[31][32]

G0077 Leafminer

Leafminer has infected victims using watering holes.[33]

G0065 Leviathan

Leviathan has infected victims using watering holes.[34]

S0451 LoudMiner

LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[35]

G0095 Machete

Machete has distributed Machete through a fake blog website.[36]

G0059 Magic Hound

Magic Hound has conducted watering-hole attacks through media and magazine websites.[37]

C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322.[38]

G0040 Patchwork

Patchwork has used watering holes to deliver files with exploits to initial victims.[39][40]

G0068 PLATINUM

PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.[41]

S0216 POORAIM

POORAIM has been delivered through compromised sites acting as watering holes.[10]

G0056 PROMETHIUM

PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.[42]

S0496 REvil

REvil has infected victim machines through compromised websites and exploit kits.[43][44][45][46]

G0048 RTM

RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network Yandex.Direct.[47][48]

G0027 Threat Group-3390

Threat Group-3390 has extensively used strategic web compromises to target victims.[49][50]

G0134 Transparent Tribe

Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.[51][52][53]

G0010 Turla

Turla has infected victims using watering holes.[54][55]

G0124 Windigo

Windigo has distributed Windows malware via drive-by downloads.[56]

G0112 Windshift

Windshift has used compromised websites to register custom URL schemes on a remote system.[57]

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing
アプリケーションの分離とサンドボックス化

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.[58][59]
ブラウザのサンドボックスは、悪用された場合の影響をある程度軽減することができますが、サンドボックスからの回避も依然として存在する可能性があります。

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.[59]
また、他の種類の仮想化やアプリケーションのマイクロセグメンテーションも、クライアントサイドのエクスプロイトの影響を軽減することができる場合があります。これらのタイプのシステムには、さらなる悪用や実装上の弱点によるリスクが依然として存在する可能性があります。

M1050 Exploit Protection
エクスプロイト保護

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [60] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [61] Many of these protections depend on the architecture and target application binary for compatibility.

Windows Defender Exploit Guard(WDEG)や Enhanced Mitigation Experience Toolkit(EMET:2018  7  31 日をもって製品サポートが終了)など、エクスプロイト時に使用される動作を検索するセキュリティアプリケーションを使用すると、一部のエクスプロイトを緩和することができます。また、制御フローの整合性チェックも、ソフトウェア悪用の発生を特定し、阻止する可能性のある方法です[61]。これらの保護機能の多くは、アーキテクチャとターゲットのアプリケーションバイナリに互換性があるかどうかに依存します。

M1021 Restrict Web-Based Content

For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
広告で配信される悪意のあるコードに対しては、アドブロッカーが未然にコードの実行を防ぐのに役立ちます。

Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.
スクリプトブロック機能拡張は、悪用プロセスでよく使われる可能性のあるJavaScriptの実行を防ぐのに役立ちます。

M1051 Update Software

Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.
ブラウザやプラグインを常に最新の状態に保つことで、このテクニックの悪用を防ぐことができます。セキュリティ機能をオンにした最新のブラウザを使用しましょう。

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.
ファイアウォールとプロキシは、望ましくないドメインやパラメータが含まれている可能性のあるURLを検査することができます。また、Webサイトや要求されたリソースについて、ドメインの古さ、登録者、既知の不良リストに含まれているかどうか、以前に接続した他のユーザーの数など、評判に基づいて分析することも可能です。

DS0022 File File Creation

Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing.
ユーザーが通常のブラウジングでウェブサイトを訪問し、システムにアクセスするためにディスクに新たに構築されたファイルを監視します。

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.
データの送受信に使用される、信頼できないホストへの新しく確立されたネットワーク接続を監視します。

    Network Traffic Content

Monitor for other unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.
システムに転送された追加ツールの可能性がある、その他の異常なネットワークトラフィックを監視します。ネットワーク侵入検知システム(場合によっては SSL/TLS 検査を含む)を使用して、既知の悪意あるスクリプト(偵察、ヒープスプレー、ブラウザ識別スクリプトが頻繁に再利用されている)、一般的に使用されているスクリプトの難読化、およびエクスプロイトコードを確認します。

DS0009 Process Process Creation

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.
ブラウザプロセスの異常な動作など、侵害の成功を示す可能性のあるエンドポイントシステムでの動作を確認します。これには、ディスクに書き込まれた疑わしいファイル、実行を隠そうとするプロセスインジェクションの痕跡、またはディスカバリーの痕跡が含まれる可能性があります。

References

  1. Adair, S., Moran, N. (2012, May 15). Cyber Espionage & Strategic Web Compromises – Trusted Websites Serving Dangerous Results. Retrieved March 13, 2018.
  2. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  3. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
  4. Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.
  5. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  6. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  7. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  8. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  9. Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.
  10. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  11. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  12. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  13. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  14. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  15. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  16. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  17. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  18. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  19. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  20. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  21. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  22. Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
  23. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  24. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  25. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  26. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  27. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
  28. Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing attacks?. Retrieved February 13, 2018.
  29. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  30. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  31. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  1. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
  2. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  3. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  4. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  5. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  6. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
  7. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  8. Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
  9. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  10. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  11. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  12. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  13. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  14. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  15. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  16. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  17. ESET Research. (2019, April 30). Buhtrap backdoor and Buran ransomware distributed via major advertising platform. Retrieved May 11, 2020.
  18. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  19. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  20. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  21. Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
  22. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  23. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  24. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
  25. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
  26. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  27. Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.
  28. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.
  29. Nunez, N. (2017, August 9). Moving Beyond EMET II – Windows Defender Exploit Guard. Retrieved March 12, 2018.
  30. Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.