The advance of the 21st century brought with it a significant shift in the work scene. Every industry and field relies heavily on computers and the digital world to function seamlessly. However, with it came the ever-mounting fear of cyber attack. Among the many forms of cyber attack is a watering hole attack, also known as a supply chain attack.
In a watering hole attack, attackers mainly try to compromise a user by infecting the user’s computer and gaining access to the network.
What does the expression watering hole mean?
The watering hole is a technique in which the attacker guesses and observes on the internet which websites an organisation often uses and infects one or more of them with malware. The name is obtained from predators in the natural world who wait for a chance to attack their prey near watering holes or water sources where the potential targets are sure to come to quench their thirst. This way, the attacker doesn’t have to chase the prey and waits for the game to walk into its trap with its guard down.
The attacker finds a frequently visited site where many users or a targeted group often visit that site, and then the attacker infects the victim’s computer and site with malware or malicious code.
The attacker then discovers susceptibility associated with the site and tries to exploit its security and gain access to the targeted group or user.
Overview Of A Watering Hole Attack
Reports of Watering Hole Attacks
Well-known websites such as Facebook, Microsoft, Apple, and Twitter were exploited to execute watering hole attacks.
The Lazarus threat actor group controlled watering hole attacks on Poland, Mexico, the UK, and US institutions in 2017.
In US CRF, several sites were compromised, which came to be known as the VOHO attacks. (2012).
Canada-based ICAO became a victim of opportunistic watering hole attacks, and the malware even infected the United Nations. (2016)
Even Ukrainian Government websites were also compromised with ExPetr malware. (2017)
Asian communities were also targeted, mostly on religious and humanitarian websites. (2019)
The Ministry of Defence of Columbia in 2018 was also compromised due to a water hole attack.
In 2015, a major news organisation, Forbes, was the victim of a watering hole attack launched by a Chinese hacking group, which resulted in two zero-day exploits – Adobe Flash Player and Internet Explorer. The security exploit was brought about through Forbes’ “Thought of the Days” flash widget. It enabled supply chain attacks to infect any impregnable devices that viewed the Forbes website.
In 2019, FortiGuard Labs discovered a watering hole attack targeting the US-based Chinese news site.
How does a watering hole attack work?
A watering hole attack works the same way as the natural technique used by wild predatory animals. Cyber criminals first gather information on a popular consumer website frequented by a victim or particular group of users. The attacker seeks to infect the frequently visited public websites and creates a tab of the users, generally employees or members of a high-end company or government agency or industry boards.
The cyber-criminals then identify known vulnerabilities of the site and lie in wait for their victims to approach. They then conduct malicious activities like injecting malicious code (remote access trojan) and gaining remote access to target victims’ machines through a redirected spoofed website.
When the victim visits the malicious site, malware will inject malicious code, and a script containing malware is automatically downloaded into the particular group or in the victim’s network.
After infecting websites, the malware gains unauthorised access to all the personal information of the victim’s computer and gains access to the victim’s data from the attacker’s server. The attackers look to exploit their victims financially or use botnets to jeopardise legitimate websites to gain access to a targeted network through the victim’s machines, mostly a corporate network.
How to prevent watering hole attacks?
Through a watering hole attack, users or victims can lose their data, money, sensitive information, and company reputation.
Here are some steps that will arm you in preventing watering hole attacks -:
Provide knowledge and training to all staff and use advanced threat protection
Users with less knowledge commonly visit popular consumer websites. Attackers create spoofed malicious sites which are infected with malware. Those unaware of such malware attacks remain ignorant and frequent the sites with their guards down. Attackers access the required information when the victim logs in with his username and password on the compromised websites and takes advantage of it. The attacker attacks and gains access to targeted applications or new sites.
Watering hole attacks are generally used against companies with higher security on their staff’s email ID and internet access. Instruct users not to click on a new or compromised website owning such a job title. Attackers use the social engineering attack method to detect all the information, which helps them run credential stuffing attacks.
Threat actors can compromise websites from browser-based and applications-based threats like watering hole attacks
Ask for a security audit from the IT experts team. They will cross-check the security and internet traffic and even zero-day threats.
Cybersecurity experts can guide you about the vulnerabilities which might be missed by others. They can fix it and provide you with a worry-free network. Allow experts to assess security periodically. It is the best step to prevent a loss and secure the company’s financial gain in the future.
Use Virtual Private Network
We can use VPN for the user or specific group that works with external sources. It is also useful to block unsecured websites like messaging and social media.
Monitor Your Network and Web Traffic
We can monitor all the activities of our network’s third-party traffic and outbound traffic. Monitoring these can help prevent watering hole attackers gain unauthorised access. It also provides better security controls. We can make sure about the user logging in through remote access. Antivirus software and advanced Intrusion detection and prevention systems ensure a reduced risk of more victims becoming targets.
Keep Systems And Security Patches Updated
Watering hole attacks work on vulnerabilities in websites and also malicious software to take security control. Keeping software and antivirus signatures updated regularly with the latest security patches can reduce the risk of such attacks. Always try to download software updates from the official websites and update systems from time to time.
Implement Multi-factor Authentication for Remote Users
According to Verizon’s report, 80% of hacking involved weak credentials. Hackers with criminal intentions can exploit poor password practices, and they exploit user identities. So the use of 2FA (Two-Factor authentications) and even MFA-Multi Factor authentication is the best practice to protect against such targeted attacks, especially for those who frequent a new website.
How does it work?
We can set passwords and authenticate users by a combination of the following credentials:
- User’s easy guessing – password, PIN, OTP, and answer to security questions asking for authentication
- User’s device, a smart card, a key fob
- User’s Voice, a fingerprint or maybe an iris scan. By using these combinations, even if the password is compromised, the account can’t be cracked without other credentials.
Multi-factor authentication systems offer essential security benefits. Every user needs to re-authenticate regularly.
Watering hole attacks are not common. These are quite difficult to detect and can cause major damage if they are not detected quickly. Such attacks can compromise websites’ security, and the compromised site provides financial losses as well as damaged foreign relations with customers. Learn with this article how we can protect security exploits and work towards preventing a watering hole attack.
Get in touch to discuss your security concerns. If you are looking for a security services partner, contact us for a short, casual conversation to see if we’d be a good fit.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.