The Rising Threat: Unleashing the Power of Watering Hole Attacks

Watering Hole Attacks Push ScanBox Keylogger

Author:

Date: August 30, 2022

Recent research has uncovered a watering hole attack that has been attributed to APT TA423, a China-based threat actor. The attack involves the distribution of the ScanBox JavaScript-based reconnaissance tool to victims that include domestic Australian organizations and offshore energy firms in the South China Sea. The attack campaign began in April 2022 and ran through mid-June 2022, according to a report by Proofpoint’s Threat Research Team and PwC’s Threat Intelligence team.

Targeted Messages and Bait

The APT TA423, also known as Red Ladon, used targeted messages linking back to Australian news websites as bait in their cyber-espionage campaigns. The messages were sent as phishing emails with titles like “Sick Leave,” “User Research,” and “Request Cooperation.” The emails claimed to come from an employee of the fictional organization “Australian Morning News” and encouraged the targets to visit the website australianmorningnews[.]com.

Upon clicking the link in the email and redirecting to the website, visitors were served the ScanBox framework. The website displayed content copied from actual news sites, such as the BBC and Sky News, while also delivering the ScanBox malware framework. This framework acts as a keylogger, capturing all of a user’s typed activity on the infected website.

The ScanBox Framework

The ScanBox framework is a customizable and multifunctional JavaScript-based tool used by adversaries for covert reconnaissance. It has been used by attackers for almost a decade and is particularly dangerous because it doesn’t require malware to be deployed to a target system. Instead, the JavaScript code is executed by a web browser, allowing it to function as a keylogger without leaving traces on the system.

In the case of the watering hole attack, the ScanBox framework is loaded onto a compromised website. When users visit the infected website, their keystrokes are captured by the ScanBox keylogger. This data is then used as part of a multi-stage attack, providing the attackers with information about potential targets for future attacks. This technique is commonly known as browser fingerprinting.

The ScanBox framework also includes WebRTC functionality, which allows it to establish real-time communication between web browsers and mobile applications. This enables the framework to connect to pre-configured targets and communicate with victim machines even if they are behind NAT (Network Address Translation).

Attribution and Motivation

Researchers attribute these attacks to APT TA423 / Red Ladon, a threat actor believed to operate out of Hainan Island, China. This group has been indicted by the US Department of Justice for providing support to the Hainan Province Ministry of State Security (MSS), which is responsible for intelligence and cyber espionage efforts by China.

The threat actors are believed to support the Chinese government in matters related to the South China Sea and have a particular focus on naval issues in regions such as Malaysia, Singapore, Taiwan, and Australia. However, they have also targeted victims in other countries, including the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom. Industries targeted by the group range from aviation and defense to education, government, healthcare, biopharmaceutical, and maritime.

Implications and Recommendations

Watering hole attacks, such as the one involving the ScanBox keylogger, highlight the persistent and evolving nature of cyber threats. In this case, the attackers were able to compromise legitimate websites and use them as vehicles for their malicious activities. This tactic makes it difficult for organizations to detect and defend against these attacks, as they often rely on trusted sources.

To protect against watering hole attacks and similar threats, organizations should implement robust cybersecurity measures. This includes regularly updating software and operating systems, using strong and unique passwords, enabling multi-factor authentication, conducting vulnerability assessments, and educating employees about the risks of phishing and visiting unfamiliar websites.

Furthermore, organizations should consider implementing advanced threat detection and prevention technologies that can identify and block malicious activities. Continuous monitoring and timely incident response are also crucial to minimize the impact of attacks and prevent further compromise.

Lastly, international cooperation and collaboration are essential in addressing cyber threats originating from state-sponsored actors. Governments and law enforcement agencies should work together to share information and intelligence, investigate and prosecute cybercriminals, and impose consequences on those responsible for malicious activities.

As cyber threats continue to evolve, it is imperative for individuals, organizations, and governments to remain vigilant and proactive in protecting themselves and their digital assets.