Organizations, at large, deploy spam filters to detect viruses, use antivirus software, and secure firewall, intrusion detection and protection solutions to keep the bad guys from getting into their network. Security awareness and readiness regarding phishing attacks is also on the rise, with employees becoming better-versed in recognizing and responding to phishing attempts. Cybercriminals are thus tasked with finding ways to overcome these obstacles to their goal of gaining access to organizations’ networks.
In nature, we observe predators that hide next to bodies of water — watering holes, where the prey gathers — and wait for the opportunity to attack.
Unfortunately, cybercriminals have found a way to emulate this predatory behaviour. They prey on unsuspecting victims browsing regularly visited websites. This is called a watering hole attack.
What are watering hole attacks?
The concept of watering hole attacks is similar to spear phishing. Malicious attackers have figured out that opportunistic phishing emails are easily discarded, and that the more targeted and tailored attacks are to an individual, the more the attacks are likely to succeed.
What differentiates spear phishing from watering hole attacks is that spear phishing attempts to persuade unsuspecting victims to click on an attachment or perform other actions with which they would divulge their private information.
Watering hole attacks, on the other hand, don’t need to lure victims in that way. These attacks are already positioned in a particular space, infecting a third party-service or a website that the victim frequents, using using malware with the end goal of infecting the user’s device and gaining access to an organization’s network.
We do see more opportunistic-in-nature watering hole attacks, possibly actors building a botnet, in which more widely popular websites are infected. We’ll be focusing on those more sophisticated and targeted watering hole attacks, but their techniques don’t differ all that much.
Objectives for such attacks include gaining access to sensitive computer systems as well as data theft, whether financial, personal, strategic or intellectual. While they are targeted, they do have a wider scope than spear phishing, and catch more victims than those targeted — so if they get lucky, they’ll catch the ones that will reveal the desired network credentials that allow the attackers access to the network.
Because relying on luck isn’t the most optimal solution, attackers often combine watering hole attacks with spear phishing campaigns. This way, they can send victims highly targeted and customized emails prompting them to visit a website that seems harmless and familiar but is, in fact, compromised and will infect users with malware. This is often done by compromising the website’s automated email system, ensuring any detection is avoided.
Another tactic attackers use to avoid being detected is employing social engineering techniques geared toward specifically choosing and compromising legitimate websites, appropriate to their target. This will ensure these websites are not blacklisted.
Watering hole attacks usually target businesses and organizations through their employees, vendors and suppliers, but public websites that are popular in the victim’s industry can be effective as well. These include discussion boards, smaller news outlets, industry conferences, and more.
How does waterholing work?
Attackers start with a target. They then find websites that users frequent, compromise the websites, wait for victims to enter, then inject malware to penetrate the network, moving laterally to other systems to achieve their objective. Simple concept, right? Well, that is the simplified version of it.
But how do cybercriminals know which websites are the right ones? They can’t just go after the large, popular websites that are most likely secure and hard to compromise, so they need to find their way to the websites that are less secure and smaller but still relevant to their target, such as blogs and smaller company websites.
Just as in cybersecurity investigations, cybercriminals use similar tactics in their preparation for the attack, such as data reconnaissance and information gathering about the target. In this case, they study user behaviour and websites they have visited in the past along with those they visit frequently. Attackers will leverage legitimate resources such as regular search engines, social networks and IoT search engines such as Shodan, but also more obscure ways of gaining intelligence.
Once the appropriate website — the watering hole — has been established, attackers will infect the website with malware and look for exploitable weaknesses and vulnerabilities, seeking a way to inject malicious code into various parts of the website, usually by embedding it in banners and ads.
When users visit the site and click on a part with the malicious code, it will redirect them to another website that automatically downloads a script that scans for new and known vulnerabilities. If such vulnerabilities exist, these are also used to infect the target with malware. This way, attackers gain access to the target network and the ability to perform lateral movements within it, to find sensitive data such as customer information, financial data and intellectual property, and exfiltrate or compromise that data.
Watering hole attack examples
The most targeted groups for watering hole attacks are government agencies, human rights groups, public authorities and financial institutions. That’s because the information stolen from these targets can actually allow attackers to initiate further attacks.
While we mentioned that watering hole attacks aren’t among the most common types of cybercrime around, there have been a few notable real-world examples.
Facebook, Twitter, Microsoft, and Apple
In 2013, attackers managed to compromise systems at Facebook, Twitter, Microsoft, and Apple as part of a wide-ranging watering hole operation using websites that attracted employees from many high-profile companies. The attackers used, among other watering holes, two mobile application development websites, one of them iPhoneDevSDK.com.
Websites were compromised and served drive-by downloads of exploits for a zero-day vulnerability in the Java browser plug-in running on both Windows and MacOS systems. In addition to the four major organizations mentioned, these watering hole attacks also affected auto manufacturers, government agencies and various other businesses.
A Chinese threat actor group called LuckyMouse orchestrated a cyber espionage campaign from 2017 to 2018, targeting one of the national data centers of a central Asian country in order to conduct watering hole attacks, for the purpose of gaining access to numerous government resources. The group injected malicious JS code into official government websites associated with the data center to compromise accounts belonging to the data center’s employees. The victims were infected with HyperBro RAT (Remote Access Trojan), allowing remote administration to the actors.
A watering hole campaign targeting several websites in Southeast Asia occurred in 2018 and 2019. This campaign, believed to have been run by the OceanLotus group, was very large in scale and over 20 compromised websites were found, including the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia, and several Vietnamese news and blog outlets. Attackers added a small piece of malicious code to the compromised websites, which checked visitors’ locations and only visitors from Vietnam and Cambodia received the malware.
LuckyMouse again — guess they really are lucky! The International Civil Aviation Organization (ICAO), a specialized agency of the United Nations, was the victim of a watering hole attack attributed to the advanced persistent threat LuckyMouse in 2016. The group managed to compromise two servers at the ICAO as well as accounts of the mail servers, domain admin and sysadmin. ICAO was, however, merely part of a watering hole attack, as they were used to reach the intended targets, members of the United Nations. At least one of the UN’s member states was compromised after the ICAO cyber attack.
Turla was one of the most sophisticated and persistent cyber espionage campaigns to occur between 2014 and 2016. The “Epic” operation served as the first stage of infection in the Turla campaign, and it targeted government agencies and embassies along with military, research, educational and pharmaceutical organizations, mostly located in the Middle East and Europe. Attackers used both spear phishing emails and watering hole attacks to infect victims, with watering hole attacks using an arbitrary code-execution vulnerability in Adobe Reader and Java exploits, relying on users being tricked into running fake Flash Player malware installers.
How to prevent watering hole attacks
The prevention of watering hole attacks, just like that of any highly targeted attacks, can be challenging. However, a combination of security awareness and proper cybersecurity culture in the organization, as well as keeping security controls in place, can help in setting the grounds for effective organizational defense.
Here are a few best practices for preventing watering hole attacks:
Watering hole attacks are also known to exploit known vulnerabilities — CVEs — so the first step in any network defense is to keep all your systems, software and OSs updated to the latest version with all patches offered by vendors applied.
When it comes to detecting zero-day threats, invest in advanced network security tools, such as solutions that leverage network traffic analysis and perform inspection of suspicious websites in order to spot attackers attempting to move laterally across the network and exfiltrate data.
Zero trust can and should be applied with watering hole attacks as well. Verify all third-party traffic whether it comes from a trusted partner or a popular website. A security solution that inspects all network traffic will allow security researchers to determine if the traffic is coming from a compromised website being used for a watering hole attack.
There should also be a solution in place that inspects websites that the users within your organization frequent.
Ensure browsers and tools that use website reputation services notify users of suspicious websites they want to access.
A simple step, but an effective one: Using a VPN service to disguise online behaviour of individuals inside the organization can greatly impair attackers’ intel gathering efforts and put a strain on their watering hole attack attempt.
Additionally, organizations can run the browser sandboxes present on most mainstream browsers to protect users from the side effects of browsing the web, including unwittingly accessing suspicious websites that may be used in watering hole attacks.
Web gateways are a great way to defend organizations against drive-by downloads that match a known signature or bad reputation, and can provide detection for opportunistic watering hole attacks.
We mentioned that victims are often lured to websites compromised in a watering hole attack via spear phishing emails, so having an email security solution providing advanced malware analysis at the time of email delivery can help protect users.
As we’ve seen from notable examples, APTs are often behind these attacks. By applying threat intelligence and big data analytics, organizations can gain insight into whether they’re being targeted by these groups, by correlating data of cybercrime activities in the wild with the traffic and activities occurring on the organization’s own network.
Practise makes everything perfect — so make sure that security awareness training includes all current threats to your organization, which should definitely include watering hole attacks. Educate your employees on the nature of these attacks and the tell-tale signs of compromised websites used in watering hole attacks, but also incorporate prevention and awareness practices that will ensure they don’t fall victim. Especially when they’re innocently reading the latest discussions on industry boards and communication channels.
While not common, watering hole attacks are particularly dangerous as they use social engineering tactics that play with the human psyche, making them hard to prevent. Additionally, these attacks have the perfect components for making them difficult to detect — use of legitimate websites that aren’t suspicious, spear phishing emails that emulate the compromised website, and email notification that plays the part to a T. Still, this is nothing that an effective combination of security awareness, education, security controls, solutions and practices can’t help prevent.
Since cybercriminals are known to use watering hole attacks to gain access to third parties on the network of their main target, having a solution that will provide you with knowledge of all online assets and hidden details of your organizations is a must. SecurityTrails API™ can not only benefit you in this way, but will also tick other crucial boxes in watering hole attack protection as it can empower your reputation scoring systems and inform you of domains and IPs being abused by malicious actors.
Take charge of your organization’s cybersecurity. Sign up for your API key today and discover the full power of our API!