A cyber espionage campaign targeting Kurdish websites has been uncovered [2], with 25 compromised sites affected by a watering hole attack known as SilentSelfie.
Description
The attack, ongoing for over a year and a half [1], was first detected in December 2022 [1]. The compromised websites include Kurdish press and media [1], Rojava administration [1] [2], and revolutionary far-left political parties in Türkiye and Kurdish regions [1]. The attack delivers various variants of an information-stealing framework [1], from stealing user location to recording images from the selfie camera and leading users to install a malicious Android APK [1]. The attackers remain unidentified [1], but the attack is notable for its duration and the number of Kurdish websites affected [1]. The malicious APK [1], embedded in the website as a WebView [1], collects system information [1], contact lists [1], location [1] [2], and files from external storage [1]. The attack is characterized by the deployment of a malicious JavaScript that gathers information from site visitors [1], including their location [1], device data [1], and public IP address [1]. The reconnaissance script found on some websites redirects users to rogue Android APK files and includes user tracking via a cookie named “sessionIdVal.” The campaign’s low level of sophistication suggests it may be the work of an uncovered threat actor with limited capabilities and relatively new to the field [1]. Additionally, a malicious Android app disguised as a news app was discovered [2], capable of exfiltrating user data [2].
Conclusion
This cyber espionage campaign targeting Kurdish websites has significant implications for cybersecurity and privacy. It is crucial for organizations to enhance their security measures to prevent such attacks in the future. Additionally, users should exercise caution when visiting websites and downloading apps to protect their personal information from being compromised.
References
[1] https://thehackernews.com/2024/09/watering-hole-attack-on-kurdish-sites.html
[2] https://blog.netmanageit.com/silentselfie-revealing-a-major-campaign-against-kurdish-websites/
