In the wilds of the African Savanna, predators lurk around water sources, waiting for potential prey to come to drink. In cyberspace, hackers apply a similar tactic in aptly named watering-hole attacks.
Watering-hole attacks, which are comparable to phishing attacks for their broad reach, and to spear-phishing attacks for their targeted approach, differ in execution. Attackers indirectly target an organization by deploying malware onto a specific, legitimate website or forum that employees or business partners might visit. Once the computers of visitors are infected, they work to gain access to their organizations.
Watering-hole attacks improve the odds of infiltrating large organizations with substantial security teams, says John Shier, senior security expert at Sophos.
READ MORE PARALLAX PRIMERS
“By targeting a forum or website that the employees are known to frequent, hackers have a greater chance of success,” he says. “Maybe the employee is accessing the site from their home PC, which isn’t as secure. And if their home PC uses a VPN to access the company network, hackers now have a direct line into the company.”
Earlier this year, security researchers say, a North Korean hacker group exploited the website of a Hong Kong telecommunications company by exploiting a vulnerability in Adobe Systems’ Flash software.
The attack was a textbook case of a watering-hole attack, they say, and it used advanced evasion tactics: It was fileless, without persistence or any trace on the disk, and it used a custom protocol on an unfiltered port.
“This was a zero-day Flash vulnerability, so it was discovered in the wild. They were probably going to scrape the system for credentials—that’s very often the case with a lot of these watering-hole attacks,” Shier says. “Very seldom is the goal to dump ransomware; the goal is to gain access to a corporation and use that access to perpetrate further crimes against the company.”
Watering-hole attacks aren’t as prevalent as their phishing or spear-phishing counterparts, in part because identifying the phase 1 target can be difficult, Shier says. If a hacker wants to infiltrate Facebook, for example, he first needs to identify an external site employees visit (perhaps a coding forum dedicated to a language Facebook developers use), and hope that his targets are actually there and will actually bite.
Like all attack vectors, watering-hole attacks have pros and cons. Their wide reach makes it difficult for hackers to find what they’re looking for in the data. But they’re easy for hackers to deploy because they don’t rely on social-engineering techniques, and they require compromising only one website, according to an Infosec Institute article.
And when watering-hole attacks are successful, the consequences can be devastating. Businesses can experience financial loss and data breaches, the article says. They can also become subject to spying, or the modification or deletion of crucial files.
Defending against watering-hole attacks
Detecting a watering-hole attack isn’t easy. Neither is defending against one.
“You can’t really train the average employee to detect an infected WordPress plug-in on a website, so from the user side of things, prevention is difficult,” Shier says. And while blocking access to popular websites would eliminate some risk, such a drastic measure simply isn’t feasible for many organizations.
Businesses can still take some preventative measures to minimize the occurrence of watering-hole attacks, Shier says. First and foremost, they should keep their systems up-to-date and patched, and ensure that employees use up-to-date versions of modern browsers, such as Firefox, Chrome, and Safari.
In addition, organizations should consider monitoring and inspecting the top websites visited by their employees, the Infosec Institute recommends. If the monitoring system detects malicious links, block the traffic, and warn the user.
And as an extra precaution, organizations should use Web application firewalls from trusted vendors, consider restricting access to content management systems to specific geographical areas, and create a plan to disable third-party content in the event that its provider becomes compromised, it says.
“While watering-hole attacks are not new or exceedingly common, it’s the kind of thing that, when pulled off, can have quite a devastating effect on the victim,” Shier says. “It really touches on the principle of doing the security basics right, especially if you’re a company that allows some fairly free access to the Web.”