Focused Attack via Cookies

Wednesday, November 18, 2015 @ 11:11 AM gHale

Web analytics and tracking cookies help attackers discover potential targets and their weaknesses, a new report shows.

An attack campaign injects computer profiling and tracking scripts into over 100 websites visited by business executives, diplomats, government officials and academic researchers, said researchers at FireEye.

Prison Call Hack an Inside Job
Unsupported ICS: Not an Easy Upgrade
Age of New and Different
German Steel Mill Attack: Inside Job

The compromised websites attract visitors involved in international business travel, diplomacy, energy production and policy, international economics and official government work, the researchers said. They include sites belonging to embassies, educational and research institutions, governments, visa services, energy companies, media organizations and non-profit organizations.

While no exploits or malicious code have been served through the injected scripts, the goal of the attackers appears to be the identification of unique users who can end up targeted with attacks tailored for their specific computer and software configurations. FireEye said this is the work of state-sponsored attackers.

When users visit one of the compromised websites, their browsers silently end up redirected to one of several profiling servers. Scripts hosted on those servers collect information like the user’s IP address, their browser type and version, the language setting, the referring website, the version of Microsoft Office and browser plug-ins like Java, and Flash Player.

In addition, they also install supercookies or evercookies inside users’ browsers. These cookies are hard to delete and track users across multiple websites.

“We believe that the computer profiling data gathered …, combined with the evercookie that persistently identifies a unique user, can — when combined with basic browser data available from HTTP logs — be used by cyber threat actors to identify users of interest, and narrowly target those individuals with exploits specifically tailored to vulnerabilities in their computer system,” FireEye researchers said in a report.

The company has not detected any follow-up exploitation attempts against its customers so far, but this could be because the attackers use a highly targeted approach to victim selection.

The subsequent exploits could end up embedded in malicious documents attached to email spear phishing messages and not necessarily served through a browser. The gathered information could also assist in traditional spying operations.

Some of the compromised websites suggest the attackers may have a particular interest in individuals associated with a major Russian energy company, Russian cultural organizations, Russian embassies, Ukraine’s security services and border guards and a media organization in the Republic of Georgia, FireEye researchers said.