Security experts at AlienVault discovered a series of watering hole attacks using the Scanbox reconnaissance Framework that is targeting several industries.
Security experts at AlienVault Labs have uncovered a watering hole attack with a singular characteristic, the attackers are using a framework developed for reconnaissance as the primary infection vector.
Scanbox has numerous plugins that could be used to Enumerates software installed in the system (e.g. Flash versions, Flash versions, etc.)
Scanbox also include keylogging capability, when visitors browse the compromised website, all keystrokes are being recorded and sent to the C&C server periodically, the IP address that is hosting the command and control server is 220.127.116.11 and is assigned to a data center located in Hong Kong.
The agent also collects data the user submits via the web forms, the feature allows the attackers to steal sensitive data including password
According to the post published by AlienVault Labs, the threat actors compromised an unnamed industrial software firm’s website, the targeted company design software used for simulation and system engineering for a wide numerous companies in several industries, including automotive and aerospace.
This isn’t the first time that the researchers uncovered watering hole attacks to serve reconnaissance tools, and experts speculate that the targeted industries could suffer further attacks soon.
“This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them,” “We have also seen several Metasploit-produced exploits that target different versions of Java in the same IP address that hosts the Scanbox framework.” said Jaime Blasco.
The experts at AlienVault suggest administrators to monitor traffic from mail.webmailgoogle.com and js.webmailgoogle.com, because those are indicators of this attack.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.