Fata Morgana Watering Hole Attack Targets Shipping, Logistics Firms

Cybersecurity specialists at ClearSky have found out a refined watering hole attack concentrating on various Israeli internet websites.

The malicious attempt, thought to be executed by a nation-condition actor from Iran, has elevated considerations about the security of delivery and logistics corporations running in the region.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

“In watering gap attacks, the attacker compromises a website that is regularly frequented by a particular group of people, this kind of as government officials, journalists, or corporate executives,” reads an advisory printed by the business currently.

“Once compromised, the attacker can inject destructive code to the site, which will be executed when buyers go to it. At this time, the campaign focuses on shipping and logistics companies, aligning with Iran’s concentrate on the sector for the previous a few years.”

The ClearSky workforce has attributed the attack with low self confidence to Tortoiseshell, also identified as TA456 or Imperial Kitten, a hacking team traditionally joined to Iranian cyber operations.

“Previous Tortoiseshell attacks have been noticed utilizing the two custom and off-the-shelf malware to concentrate on IT companies in Saudi Arabia in what appeared to be source chain attacks with the end aim of compromising the IT providers’ customers,” ClearSky stated.

According to the company’s advisory, the threat actor has been active since at least July 2018. 

Study extra on Iranian state actors: “Mint Sandstorm” Weaponizes N-day Flaws

To trick unsuspecting website visitors, the attackers impersonated the reputable JavaScript framework “jQuery” by utilizing area names identical to the authentic types. 

ClearSky said the method was earlier employed in a 2017 Iranian campaign. The attackers also used open-supply penetration exam equipment, incorporating code from the Metasploit framework together with unique strings.

ClearSky stated it recognized 8 contaminated web-sites compromised employing a related JavaScript process. 

While most of the internet websites have been cleared of the malicious code, ClearSky claimed even more investigation is ongoing to make sure the comprehensive eradication of the threat.

The attack described by ClearSky comes weeks soon after a new Android surveillance tool was attributed to the Legislation Enforcement Command of the Islamic Republic of Iran (FARAJA).