Black Lotus Labs, a division specializing in threat intelligence at Lumen Technologies that focuses on identifying malware and cyber security threats, has announced the discovery of a group of compromised websites that have been used in watering hole attacks in the past. All visitors who browse one of the sites would be unknowingly infected and vulnerable to the attacker stealing a copy of their Windows authentication credentials that could be used to impersonate them.
The activity was only recently brought to light and was discovered on several Ukrainian and one Canadian website. These attacks target websites by inserting a malicious function into the website’s code, which is then executed by the victim’s machine. This type of attack has been used for many years, including the high-level compromise that was traced to the San Francisco International Airport website in April 2020.
When analyzing the attacks in Ukraine and Canada, Black Lotus Labs noticed malicious activity that appears to have demonstrated the same traits as the San Francisco airport attack. Therefore, the team accredited the activities to the same attacker. In order to stop the attacks in Ukraine and Canada, Black Lotus Labs informed the owners of the compromised websites about these discoveries.
Mike Benjamin, head of Black Lotus Labs, commented: “To protect against this type of attack, organizations should configure their firewalls to prevent outbound SMB-based communications from leaving the network or consider turning off or limiting SMB in the corporate environment.”