Black Lotus Labs® releases threat intelligence report showing newly discovered watering hole attack that targeted Ukrainian, Canadian organizations
Lumen Technologies' Black Lotus Labs has identified a series of watering hole attacks targeting Ukrainian and Canadian websites, dating back to 2019-2020. Visitors to compromised sites could unknowingly have their Windows authentication credentials stolen. This type of attack involves injecting malicious JavaScript that prompts victims' devices to submit sensitive data to an external server. In response, Black Lotus Labs has notified the affected website owners to mitigate risks. The findings are linked to similar tactics used in a notable incident involving the San Francisco International Airport's website in April 2020.
- Lumen's Black Lotus Labs proactively identified a significant cybersecurity threat, enhancing its reputation as a security provider.
- The company has taken responsibility by notifying affected website owners, demonstrating a commitment to cybersecurity.
- The discovery of these watering hole attacks highlights vulnerabilities in websites that could lead to data breaches.
- The ongoing threat of similar attacks may instill concern among current and potential customers about the security of their online activities.
DENVER, April 5, 2021 /PRNewswire/ -- Black Lotus Labs, the threat intelligence arm of Lumen Technologies (NYSE: LUMN), today announced it has uncovered a cluster of compromised websites previously used in a series of watering hole attacks. Any visitors who browsed to one of the sites would unknowingly be infected and vulnerable to the threat actor stealing a copy of their Windows authentication credentials, which could be used to impersonate them. The activity, which was only recently discovered, was identified on several Ukrainian websites and one Canadian website in 2019 and 2020.
Watering hole attacks target websites by injecting a malicious function into the site's code, which the victims' machine then executes. These types of attacks have been used for years, including in a high-profile compromise that was detected on the San Francisco International Airport's (SFO) website in April 2020.
In its analysis of the attacks in Ukraine and Canada, Black Lotus Labs observed malicious activity that appeared to exhibit the same tradecraft as the San Francisco airport attack. As a result, the team has clustered the activity to the same actor.
To disrupt the attacks in Ukraine and Canada, Black Lotus Labs notified the owners of the compromised websites of these findings.
How the Attacks Were Executed
In the case of the Ukranian, Canadian, and San Francisco airport websites, malicious JavaScript prompted the victims' devices to send their New Technology LAN Manager (NTLM) hashes to an actor-controlled server using Server Message Block (SMB), a communications protocol that enables shared access to system resources such as printers and files. In this type of attack, once the threat actor obtains the hashes they can, in some cases, be cracked offline to reveal usernames and passwords.
"Our mission is to leverage our network visibility to help protect our customers and keep the internet clean, so we will continue to monitor this actor and this type of watering hole activity," said Mike Benjamin, head of Black Lotus Labs. "To protect against this type of attack, organizations should configure their firewalls to prevent outbound SMB-based communications from leaving the network, or consider turning off or limiting SMB in the corporate environment."
Additional Information:
- For more details and an in-depth analysis of this latest discovery, read the full Black Lotus Labs Watering Hole Blog.
- Any organization that is interested in collaborating with Black Lotus Labs should reach out via Twitter @BlackLotusLabs.
About Lumen Technologies:
Lumen is guided by our belief that humanity is at its best when technology advances the way we live and work. With approximately 450,000 route fiber miles and serving customers in more than 60 countries, we deliver the fastest, most secure platform for applications and data to help businesses, government and communities deliver amazing experiences. Learn more about the Lumen network, edge cloud, security, communication and collaboration solutions and our purpose to further human progress through technology at news.lumen.com/home, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies and YouTube: /lumentechnologies. Lumen and Lumen Technologies are registered trademarks of Lumen Technologies LLC in the United States. Lumen Technologies LLC is a wholly owned affiliate of Lumen Technologies Inc.
View original content to download multimedia:http://www.prnewswire.com/news-releases/black-lotus-labs-releases-threat-intelligence-report-showing-newly-discovered-watering-hole-attack-that-targeted-ukrainian-canadian-organizations-301261341.html
SOURCE Lumen Black Lotus Labs; Lumen Technologies
FAQ
What is the recent discovery by Black Lotus Labs related to LUMN?
When did the watering hole attacks targeting Ukraine and Canada occur?
What actions has Lumen Technologies taken in response to the discovered attacks?
How do watering hole attacks work as per the recent LUMN report?
What connection exists between the recent Ukrainian-Canadian attacks and the San Francisco airport incident?
