Israeli Counter-Terrorism Websites Used in Watering Hole Attacks

Israeli Website for International Institute for Counter-Terrorism Used in Watering Hole Attacks

Researchers have detected a pair of websites related to the Israeli government which appear to have been compromised as part of a “watering hole” attack, Websense said today.

The websites were compromised and injected with malicious code which serves up an Internet Explorer exploit to unsuspecting site visitors running out-of-date versions of the Internet Explorer browser, Gianluca Giuliani of Websense Security Labs wrote in a blog post. Websense believes the sites may have been compromised and delivering malware from as early as Jan. 23, and as of this week, one site was still infecting users while the other appears to have ceased its activities.

The two sites, ict.org.il and herzlivaconference.org, appear to be connected and governed by a leading Israeli academic institution called IDC, Websense said. ICT bills itself as the International Institute for Counter-Terrorism. As of today, the malware code appears to have been removed from the main page for herzliyaconference.org, according to Websense.

“As described, the attacks on both websites are identical,” Giuliani said said.

The attack was “very similar” to a recent spate of spear-phishing attacks, Giuliani wrote. Researchers had previously linked the spear phishing attack to the watering hole attack on the Council on Foreign Relations website back in December because the same zero-day was targeted. The malicious Flash file could be either linked to the “Elderwood” gang, a highly organized cyber-crime group who may have instigated the attack on the CFR site, or different groups may be using the same toolkit, Websense said.

“It looks as if targeted attacks have now been surfacing regularly and more frequently, with more attacks that are now exposed almost on a weekly basis,” Giuliani wrote.

Facebook, Twitter, Apple and Microsoft were all hit by watering hole attacks in February when the attackers compromised an iPhone development website.

The sophistication of attacks directly depends on the protection level employed by the target, Giuliani said. If the defense level is not strong enough, attackers are likely to try to break through. If it is hard to break, they may not put in the effort.

The tough questions one should ask one’s self in today’s threat landscape is “what am I doing to not be the next victim?” and, even more importantly, “what am I going to do when I do become one?” said Giuliani.

In this case, the malware loads a malicious page with Flash content embedded. The malware also downloads a connector to the command-and-control server and opens a backdoor on the infected machine. The malware speaks with a single host which appears to be based in China, as well as a second one that appears to belong to Hurricane Electric, an Internet Service Provider in Fremont, Calif.

“Looking closer at this IP address, we could see that it hosts a lot of mayhem, as well as many other hosts that are associated that use host names on *.oicp.net,” Websense said.

Post-infection mitigation plans should be given the same emphasis as prevention and deploying adequate protection in place, Websense said.