Cisco TRAC has been monitoring numerous “malicious redirects” that they believe are due to a sophisticated watering-hole attack aimed at high profile targets in the energy sector with iFrame injections.
The attack appears to employ several compromised domains for the purpose of hosting the malware used to infect victims and for controlling the browser redirects.
Thus far, compromised domains include those belonging to a major international oil and gas firm, a British power station, a French energy distributor, an energy equipment industrial supplier,and several investment firms that focus on the energy sector.
“Encounters with the iframe injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches,” wrote Cisco’s Emmanuel Tacheau.
“This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets, vs. spear phishing or other means to entice the intended targets through illicit means.”
The compromised domains that generate the iFrames that load the malware include:
“Protecting users against these attacks involves keeping machines and web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit,” Tacheau advised in an article that has detailed analysis of the attack.
Read More Here…