Select Page

Israeli spyware vendor Candiru, which was added to an economic blocklist by the U.S. government this month, is said to have reportedly waged “watering hole” attacks against high-profile entities in the U.K. and the Middle East, new findings reveal.

“The victimized websites belong to media outlets in the U.K., Yemen, and Saudi Arabia, as well as to Hezbollah; to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance); to internet service providers in Yemen and Syria; and to aerospace/military technology companies in Italy and South Africa,” ESET said in a new report. “The attackers also created a website mimicking a medical trade fair in Germany.”

The strategic web compromises are believed to have occurred in two waves, the first commencing as early as March 2020 before ending in August 2020, and the second string of attacks beginning in January 2021 and lasting until early August 2021, when the targeted websites were stripped clean off the malicious scripts.

Watering hole attacks are a form of highly targeted intrusions in that they tend to infect a specific group of end-users by backdooring websites that members of the group are known to frequent with the goal of opening a gateway into their machines for follow-on exploitation activities.

“The compromised websites are only used as a jumping-off point to reach the final targets,” the Slovak cybersecurity firm said, linking the second wave to a threat actor tracked by Kaspersky as Karkadann citing overlaps in the tactics, techniques, and procedures (TTPs). The Russian company described the group as targeting government bodies and news outlets in the Middle East since at least October 2020.

images from Hacker News