News Website Targeted In Watering Hole Attack

FortiGuard Labs discovered a backdoor malware campaign targeting Chinese-speaking users through a Chinese news website hosted in the US. This watering hole attack exploits vulnerabilities in the website to inject links that deliver a backdoor to the computers of unsuspecting site visitors by exploiting known WinRAR and RTF file vulnerabilities, CVE-2018-20250 and CVE-2017-11882. The backdoor installs the malware “Sality,” which is able to harvest system data, collect screenshots, create file lists, launch reverse shells, download files, and steal clipboard text. The NJCCIC recommends users and administrators review the Fortinet article and the ZDNet article, use the indicators of compromise (IoCs) provided to harden their network, and keep anti-virus/anti-malware, hardware, and software updated.

AlertNJCCICmalware, Campaign