Trend Micro recently spotted a professionally orchestrated watering hole attack which used commonly used services (including Slack, File.io and Github) to manage the theft of data from computers that had been successfully compromised.  

Notably, the attack simply stopped if the malware downloaded from the watering hole detected anti-virus programs running on the target machine.  

However, if no AV was found, the attack proceeded to compromise the device and install a backdoor. Through this, the attackers could remove any data they deemed worthy of theft. Successfully exfiltrated data included Skype files, word processing and bulletin board tools.  

The attackers used Github to store the attacker’s commands. File.io was used to upload stolen data, and links to the stolen data files were then posted to a private Slack channel.  

This process allowed attackers to remain untraceable: no command and control servers, no traceable email addresses.   

Trend Micro alerted Slack, following which they cut off the attackers from their data supply, ending the attack. But the lesson should be obvious: If AV was detected, the attack was aborted. This blog post on AV will give you some food for thought. NCSC has also published more general malware mitigation advice.  

And finally, if you’re an administrator, you should think about keeping your admin device extra specially safe. 

When vulnerabilities work together

Google has announced two ‘zero-day’ vulnerabilities on their security blog. The first exploits their own Chrome browser, the second affecting Microsoft Windows 7, 32-bit systems.   

The two vulnerabilities were reportedly being used together. The Chrome vulnerability allowed attackers to jump the exploit code from the browser, onto Windows itself. The Windows vulnerability then allowed the escalation of privileges on Windows devices.  

Google has released a patch for the Chrome vulnerability through their automatic update channel.   

Microsoft are working on a patch for the Windows vulnerability. Reporting suggests that this vulnerability may only affect Window 7, 32-bit machines.