What is a Watering Hole Attacks and How to Prevent Them

By: Eyal Aharoni, February 21, 2021

*This blog has been updated as of February 21, 2021, with relevant content.

A Watering Hole attack is a method in which the attacker seeks to compromise a specific group of end-users either by creating new sites that would attract them or by infecting existing websites that members of that group are known to visit. The attacks have been adopted by criminals, APT groups, and nation-states alike, and we see the amounts rising. The goal is to swipe username, and password combinations hoping the victim reuses them, or infect a victim's computer and gain access to the network within the victim's place of employment. Many conclude that these attacks are an alternative to Spear Phishing but are quite different. Watering Hole attacks are still targeted attacks, but they cast a wider net and trap more victims than the attacker’s original objective.   

 

What is a “Watering Hole” Attack?

Phishing is like giving random people poisoned candy and hoping they eat it, but a Watering Hole attack is like poisoning the village water supply and just waiting for them to drink from it. 

To a lion, the watering hole is more than just a place to get hydrated – it’s the perfect place to ambush unsuspecting prey. For the energy-conserving predator, lying in wait for victims to gather is much easier than the usual tracking and attacking method.

To a hacker, the game plan is largely the same when conducting a cyberattack in this method – infect a website typically frequented by an individual of a specific group (be it a large enterprise, religious group, or organization) and wait.

When the “prey” logs on, the implemented malware can compromise the end-users computer and gain access to their network. Although, in comparison with the antelope, a cyberattack victim may not realize they’ve been taken down until much, much later.

As attackers create new sites or compromise legitimate websites and applications that aren’t blacklisted - often using zero-day and obfuscated exploits with no antivirus signatures, the attack success rate remains high.

While not the average modus operandi of a hacker, the water hole attack is particularly nefarious due to the fact that it’s difficult to detect and relies on social engineering - taking advantage of human error.

 

Who Has Been Affected by Watering Hole Attacks?

A diverse victim set, we see watering hole attacks being used by everyone from the Chinese government against political dissidents, foreign APTs against US nuclear scientists, industrial espionage against US/UK defense contractors through attempts to steal COVID-19 research by targeting COVID-19 researchers. One of the more sophisticated watering hole attacks recently was uncovered by Google security team Project Zero who uncovered a sophisticated watering hole that attracted users of a particular group to websites and through an android application and utilized four zero-days in their attack.1 Another one tracked by Kaperski Labs found a much less sophisticated but still successful watering hold that incorporated a website, malicious Java, and a phony Adobe Flash update pop-up to trick a particular group of people could be infiltrated2.  

 

How does a Watering Hole attack work?

  1. First, the attackers profile their targets by industry, job title, etc. This helps them determine the type of websites, and targeted applications often visited and used by the employees or members of their targeted entity. 
  2. The attacker then creates a new website or looks for vulnerabilities in these existing websites and applications to inject malicious code that redirects the targets to a separate site where the malware is hosted. 
  3. The exploit drops the malware onto the system of the target. 
  4. The attacker now uses the dropped malware to initiate its malicious activities.  Also, knowing that most people still sadly reuse passwords, the attacker often collects usernames and passwords to attempt credential-stuffing attacks against targeted applications, enterprises, and sites. 
  5. Once the victim’s machines or the applications, enterprises, and sites are compromised, the attackers will perform lateral movements within the victim’s network and ultimately exfiltrate data. 

What can I do to prevent these attacks?

  • Continuously test your current security solutions and controls to verify that they provide you with adequate defense against application and browser-based attacks. . Ensure your security controls prevent criminal redirection, malware, and rootkits from being successfully deployed.  Ensure that browser control and endpoint software are adequately tuned and that web content and security proxy gateways are well configured. Organizations must seek additional layers of advanced threat protection, such as behavioral analysis, which have a far greater likelihood of detecting zero-day threats. 
  • Update systems with the latest software and OS patches offered by vendors. 
  • All third-party traffic must be treated as untrusted until otherwise verified. It should not matter if content comes from a partner site or a popular Internet property such as a Google domain. 
  • Educate your end-users on what watering hole attacks are by creating easy-to-understand corporate materials you distribute. 

Conclusion

This attack is sure to continue as attackers leverage legitimate resources as a catalyst for attacks. This includes influencing search engine results, posting on popular social networks, and hosting malware on trusted file-sharing sites. 

Download Cymulate free trial to see your organization’s outbound exposure to malicious or compromised websites. 

Start a Free Trial

Eyal Aharoni
Eyal Aharoni

Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.