Researchers have uncovered a watering hole attack that is likely to have been carried out by an Advanced Persistent Threat (APT) group known as TA423. This attack is an attempt to plant a JavaScript-based reconnaissance tool known as ScanBox.
ScanBox is a tool that can be used to collect detailed information on a target computer, such as the operating system, type of browser, browser plugins, and more. This information can be used to identify vulnerable systems and launch further attacks.
The watering hole attack was carried out by injecting malicious JavaScript code into legitimate websites, which would then redirect visitors to a server hosting the ScanBox tool. This attack was poorly camouflaged and does not appear to have been successful.
The researchers were able to identify the attack as being carried out by TA423 due to the presence of a file named “index.php” on the server hosting the ScanBox tool. This file contained code that was previously associated with the group. The researchers also noted that the attack was similar to other attacks carried out by TA423, such as the use of the “msfconsole” tool to gain access to the target system.
The researchers warn that this attack highlights the need for organizations to be aware of the threat posed by APT groups and to take steps to protect their systems. They recommend that organizations employ the use of application whitelisting to prevent malicious code from being executed, and to regularly monitor their networks for any suspicious activity.
In summary, researchers have uncovered a watering hole attack likely carried out by APT TA423 which attempted to plant the ScanBox JavaScript-based reconnaissance tool. This attack was poorly camouflaged and does not appear to have been successful, however it highlights the need for organizations to be aware of the threat posed by APT groups and to take steps to protect their systems.
Key points:
• Researchers uncovered a watering hole attack likely carried out by APT TA423.
• The attack attempted to plant a JavaScript-based reconnaissance tool known as ScanBox.
• The attack was poorly camouflaged and does not appear to have been successful.
• TA423 was identified via code in the “index.php” file on the server hosting the ScanBox tool.
• Organizations need to be aware of the threat posed by APT groups and take steps to protect their systems.