Black Lotus Labs, a division specializing in threat intelligence at Lumen Technologies that focuses on identifying malware and cyber security threats, has announced the discovery of a group of compromised websites that have been used in watering hole attacks in the past. All visitors who browse one of the sites would be unknowingly infected and vulnerable to the attacker stealing a copy of their Windows authentication credentials that could be used to impersonate them.
The activity was only recently brought to light and was discovered on several Ukrainian and one Canadian website. These attacks target websites by inserting a malicious function into the website’s code, which is then executed by the victim’s machine. This type of attack has been used for many years, including the high-level compromise that was traced to the San Francisco International Airport website in April 2020.
When analyzing the attacks in Ukraine and Canada, Black Lotus Labs noticed malicious activity that appears to have demonstrated the same traits as the San Francisco airport attack. Therefore, the team accredited the activities to the same attacker. In order to stop the attacks in Ukraine and Canada, Black Lotus Labs informed the owners of the compromised websites about these discoveries.
When accessing these websites, malicious JavaScript prompts victim devices to send their New Technology LAN Manager (NTLM) hashes to the attacker-managed server using the Server Message Block (SMB) communication protocol. This protocol authorizes shared access to system resources such as printers and files. In this type of attack, by receiving the hashes, the invader may use this data in an offline mode to crack and reveal usernames and passwords.
Mike Benjamin, head of Black Lotus Labs, commented: “To protect against this type of attack, organizations should configure their firewalls to prevent outbound SMB-based communications from leaving the network or consider turning off or limiting SMB in the corporate environment.”
