Get in Touch
Housing associations and the construction sector.
Severity level: High – Compromise may result in the loss of confidentiality and integrity of data in the first instance.
Over the past week, Threat Intelligence (TI) has tracked increased malicious activity involving the housing association and construction sectors. The chosen criminal methodology behind these attacks is via the ‘waterhole’ or ‘search engine optimisation poisoning’ style of compromise.
In most instances waterhole attacks employ social engineering against the victim, tracking online movements, thereby generating patterns of the most frequently visited sites. The attacker then targets these sites via known exploits or a zero-day and waits for the target to visit the now compromised site on their own accord, thus leading to a potential third-party compromise.
During an ongoing investigation, TI has discovered a waterhole instance directly targeting those organisations in these sectors.
In this attack, two instances of malware have been uncovered. The Cobalt Strike post-exploitation tool and Gootkit PowerShell malware.
Compromised websites containing initial access points for waterhole attacks are difficult to detect as they fall outside of regular security monitoring patterns. This, therefore, creates the issue that detection is only achieved once initial exploitation has occurred.
Both Cobalt Strike and Gootkit pose a significant threat to customer systems and networks, as a successful attack may result in the loss of confidentiality and integrity of data in the first instance.
Both Gootkit and Cobalt Strike should be detected and flagged as high-level alerts with an up-to-date endpoint detection and response (EDR) solution such as Microsoft Defender.
Containment, Mitigations & Remediations
Customers are strongly advised to remove or deny users that do not require the functionality and access to execute PowerShell commands.
Customers are also advised to actively use up-to-date EDR solutions such as Microsoft Defender to detect and stop attempts of compromise.
Indicators of Compromise
During the initial investigation of a waterhole-based compromise, multiple IOCs have been exposed including malicious Internet Protocols (IPs), domains and shell scripts.
146.70.53[.]165, IP has three active ports – 22, 80 and 443. Cobalt Strike was detected via port 443.
Based on the multiple correlating OSINT reports by RedPacket Security and C2IntelFeedBot and an investigation conducted by the Quorum Cyber Incident Response (IR) and TI teams, it is almost certain that 146.70.53[.]165 is directly associated with Cobalt Strike.
Cobalt Strike hashes:
Investigation of associated PowerShell scripts highlight Gootkit affiliation to the following domains:
Domain 1: www[.]tavernelentrepot[.]be
Domain 2: www[.]termowood[.]net
Domain 3: www[.]textfabrik[.]de
Investigations have connected all three domains listed above to Gootkit malware activity. This, combined with OSINT reporting, suggests that these domains are highly likely affiliated with the Gootkit compromise on the victim system.
Additional Gootkit C2 domains:
The popularity of the waterhole attack against the housing association and construction sectors is unlikely to diminish over the remainder of 2022 and will likely continue to be a mainstay tactic of cybercriminals targeting the sector throughout 2023. It is a realistic possibility that this tactic has grown in popularity because businesses across the private sector have significantly improved phishing awareness among their employees, making phishing attacks less effective. Attackers are likely moving to waterhole tactics to evade initial user detection. These attacks are likely to be from financially motivated criminal organisation networks.
No specific threat groups have been connected to recent threat activities.y
Cobalt Strike TTPs
- T1591.002 – Gather Victim Org Information: Business Relationships
- T1189 – Drive-by Compromise
- T1546.013 – Event Triggered Execution: PowerShell Profile
- T1059.001 – Command and Scripting Interpreter: PowerShell
During the TI investigation of a Microsoft Defender alert of Gootkit it was noticed that the adversary has likely spoofed the content section to imitate a legitimate Microsoft programme. This suggests that the adversary is sophisticated and well versed in PowerShell manipulation.