Unit 42 finds Kuwaiti organisation’s webpage was exploited for malicious activities

New watering hole identified for credential harvesting.
New watering hole identified for credential harvesting.
5 years ago

During the analysis of the xHunt campaign activities, researchers from Unit 42, the threat intelligence arm of Palo Alto Networks, identified a Kuwaiti organisation’s webpage used as an apparent watering hole. The webpage contained a hidden image which was observed between June and December 2019, and referenced domains associated with malicious activity conducted by the xHunt campaign operators.

Unit 42 believes that the same threat actors involved in the Hisoka attack campaign compromised and injected this HTML code into this website in an attempt to harvest credentials from the website’s visitors; specifically, gathering account names and password hashes. While Unit 42 cannot confirm this, it is possible that the actors intended to crack these hashes to obtain the visitor’s passwords or using the hashes gathered to carry out relay attacks to gain access to additional systems.

If successful in harvesting account credentials, the compromised data has a plethora of uses for the attackers and can allow them to breach an organisation to steal sensitive information. Furthermore, because they’d be using trusted credentials, it can allow attackers to go undetected for long periods of time, enabling them to infiltrate other parts of an organisation and even implement backdoors, like RATs, to get back into a system even after being removed. This can result in significant damage to an organisation over a prolonged period of time.

During this same timeframe, Unit 42 observed an indication of DNS redirect activity on infrastructure used by these same operators. The domains observed in redirect activity primarily contained subdomains referencing an association with their organisational email servers further implying an interest in user credential harvesting.

Don't Miss

GBM to Implement Palo Alto Networks’ Next-Generation Firewall at GEMS Education to Protect Schools from Rising Cyberthreats

Gulf Business Machines (GBM) will deploy a next-generation firewall by Palo Alto
Orange-Business-First-to-Deliver-Prisma-SASE-with-SP-Interconnect

Orange Business to provide Palo Alto’s Prisma SASE with Service Provider Interconnect

Orange Business, Orange Cyberdefense and Palo Alto Networks have further strengthened their