Lumen’s Black Lotus Labs flags ‘watering hole’ cyber threat

Lumen Technologies runs a cool organization called Black Lotus Labs that focuses on identifying malware and cybersecurity threats. Its mission is to leverage Lumen’s visibility into its own global network to help “keep the internet clean,” according to the Black Lotus website. Lumen’s networks comprise about 450,000 route-miles of fiber and serve customers in more than 60 countries.

Today, Black Lotus Labs flagged a threat type called “watering hole attacks.” These attacks target websites by injecting a malicious function into a site's code, which the victims' machine then executes. These types of attacks have been used for years, including in a high-profile compromise that was detected on the San Francisco International Airport's website in April 2020.

RELATED: CenturyLink built a network-based threat detection system

The activity flagged today, which was only recently discovered, was identified on several Ukrainian websites and one Canadian website. Any visitors who browsed to one of the sites would unknowingly be infected and vulnerable to the threat actor stealing a copy of their Windows authentication credentials, which could be used to impersonate them.

In its analysis of the attacks Black Lotus Labs observed malicious activity that appeared to exhibit the same tradecraft as the San Francisco airport attack. As a result, the team has attributed the activity to the same actor.

To disrupt the attacks in Ukraine and Canada, Black Lotus Labs notified the owners of the compromised websites of its findings.

In the case of the Ukranian, Canadian and San Francisco airport websites, malicious JavaScript prompted the victims' devices to send their New Technology LAN Manager (NTLM) hashes to an actor-controlled server using Server Message Block (SMB), a communications protocol that enables shared access to system resources such as printers and files. In this type of attack, once the threat actor obtains the hashes they can, in some cases, be cracked offline to reveal usernames and passwords.

"To protect against this type of attack, organizations should configure their firewalls to prevent outbound SMB-based communications from leaving the network or consider turning off or limiting SMB in the corporate environment," said Mike Benjamin, head of Black Lotus Labs, in a statement.