*This blog has been updated as of February 21,2021 with relevant content.
A Watering Hole attack is a method in which the attacker seeks to compromise a specific group of end users either by creating new sites that would attract them or by infecting existing websites that members of that group are known to visit. The attacks have been adopted by criminals, APT groups and nation states alike and we see the amounts rising. The goal is to swipe username and password combinations hoping the victim reuses them, or infect a victim's computer and gain access to the network within the victim's place of employment. Many conclude that these attacks are an alternative to Spear Phishing but are quite different. Watering Hole attacks are still targeted attacks, but they cast a wider net and trap more victims than the attacker’s original objective.
What is a “Watering Hole” Attack?
Phishing is like giving random people poisoned candy and hoping they eat it, but a Watering Hole attack is like poisoning the village water supply and just waiting for them to drink from it.
The name is inspired by the predators in the wild who prowl near watering holes, waiting for the opportunity to attack a potential prey. In a Watering Hole attack, the “predator” (Attacker) lurks on specific websites which are popular to its “prey” (target), looking for opportunities to infect them with malware making these targets vulnerable. In other words, rather than using a Spear Phishing email campaign to lure victims, hackers infect vulnerable sites that share a common interest to their targets, and then redirects the victims to the attacker’s site/application which contains malware.
The goals of these attacks are most often industrial or nation-state actor espionage looking to steal critical data from another nation, industry or political enemy group by setting up or infecting a site of interest to a group the attacker hopes to gain priceless industrial intellectual property and data by using the credentials or compromised machine of the victim. As attackers create new sites or compromise legitimate websites and applications that aren’t blacklisted -often using zero-day and obfuscated exploits which have no antivirus signatures, the attack success rate remains high. Woefully, the fact many people reuse passwords also increases this success rate.
Although Watering Hole attacks are still not as common as others, they pose a considerable threat since they are difficult to detect. These supply chain attacks typically target high-security organizations through their employees, business partners, connected vendors and even unsecured wireless networks at conventions. It’s imperative to also understand these sophisticated attacks don’t only attack victim’s laptops through websites but also often include mobile apps for android and iOS devices as well.
Who Has Been Affected by Watering Hole Attacks?
A diverse victim set, we see watering hole attacks being used by everyone from the Chinese government against political dissidents, foreign APTs against US nuclear scientists, industrial espionage against US/UK defense contractors through to attempts to steal COVID-19 research by targeting COVID-19 researchers. One of the more sophisticated watering hole attacks recently was uncovered by Google security team Project Zero who uncovered a sophisticated watering hole that attracted users of a particular group to websites and through an android application and utilized four zero days in their attack.1 Another one tracked by Kaperski Labs found a much less sophisticated but still successful watering hold that incorporated a website, malicious Java and a phony Adobe Flash update pop-up to trick a particular group of people could be infiltrated2.
How does a Watering Hole attack work?
- First, the attackers profile their targets by industry, job title, etc. This helps them determine the type of websites and targeted applications often visited and used by the employees or members of their targeted entity.
- The attacker then creates a new website or looks for vulnerabilities in these existing websites and applications to inject malicious code that redirects the targets to a separate site where the malware is hosted.
- The exploit drops the malware onto the system of the target.
- The attacker now uses the dropped malware to initiate its malicious activities. Also knowing that most people still sadly reuse passwords, the attacker often collects usernames and passwords to also attempt credential stuffing attacks against targeted applications, enterprises and sites.
- Once the victim’s machines or the applications, enterprises and sites are compromised, the attackers will perform lateral movements within the victim’s network and ultimately will exfiltrate data.
What can I do to prevent these attacks?
- Continuously test your current security solutions and controls to verify that they provide you with adequate defense against application and browser-based attacks. . Ensure your security controls prevent criminal redirection, malware and rootkits from being successfully deployed. Make sure browser control and endpoint software is adequately tuned and that web content and security proxy gateways are well configured. It is vital that organizations seek additional layers of advanced threat protection such as behavioral analysis, which have a far greater likelihood of detecting zero-day threats.
- Update systems with the latest software and OS patches offered by vendors.
- All third-party traffic must be treated as untrusted until otherwise verified. It should not matter if content comes from a partner site or a popular Internet property such as a Google domain.
- Educate your end-users on what watering hole attacks are by creating easy to understand corporate materials you distribute.
This attack is sure to continue as attackers leverage legitimate resources as a catalyst for attacks. This includes influencing search engine results, posting on popular social networks and hosting malware on trusted file sharing sites.
Download Cymulate free trial to see your organization’s outbound exposure to malicious or compromised websites.