What Are Watering Hole Attacks & How to Prevent Such Attacks

What Are Watering Hole Attacks & How to Prevent Such Attacks

Watering hole attacks are becoming more and more popular as these allow malicious actors to compromise intermediary targets to gain access to their intended final targets.

What Is Watering Hole Attack and How It Works

In a watering hole attack, a malicious actor compromises a third-party service, such as a publicly available website, in order to get access to the intended final target. There are various reasons why threat actors attack third-party services instead of the intended final targets. It could be that the intended final targets have stronger cyber defences, while third-party services lack the necessary cyber defences.

In watering hole attacks, threat actors study the employees of the intended final targets, such as finding out what sites these employees often visit. These sites are then analysed.

Sites with weak defences are often targeted, injecting these sites with malicious software (malware) or redirecting visitors to sites controlled by the attackers, leading to the downloading of the malware when these employees visit these sites. Attackers may also nudge an employee into visiting the compromised website or the URL they control by tricking the employee to click on the malicious link contained in a phishing email.

Once inside an employee’s device, threat actors then move toward the intended final target.

Examples of Watering Hole Attacks

The recent disclosure by researchers at Google's Threat Analysis Groupabout a small collection of compromised websites used in watering hole attacks which ultimately targets site visitors using certain versions of iPhones highlights the growing danger of watering hole attacks.

Researchers at Google's Threat Analysis Group revealed that over a period of at least two years, almost every version of iOS 10 through iOS 12 was potentially vulnerable when users visit a small collection of compromised websites. Simply visiting the compromised site, the researchers said, was enough for the exploit server to attack the vulnerable iPhones and install a malicious code that monitors the users’ activities.

The researchers estimated that the compromised sites receive thousands of visitors each week. In attacking the specific versions of iPhones, researchers at Google's Threat Analysis Group said, they identified a total of 14 security vulnerabilities: 7 for the iPhone’s web browser, 5 for the kernel and 2 separate sandbox escapes.

Other Cases of Legitimate Sites Used for Watering Hole Attacks

In late February and early March this year, reports came out that the website of International Civil Aviation Organization (ICAO) was used as an intermediary target for a watering hole attack where the intended final targets were ICAO members. Montreal, Canada-based ICAO is a specialized agency of the United Nations that codifies the principles and techniques of international air navigation.

In November 2018, researchers at ESETreported that 21 distinct websites in Vietnam and Cambodia, including Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper websites, were used as intermediary targets in watering hole attacks.

According to the researchers, the modus operandi is similar on all compromised websites in which the attackers add a small piece of malicious code on the compromised websites. While not applicable in all cases, the researchers reported that the code injected into the compromised websites checks for the visitor’s location, and only visitors from Vietnam and Cambodia actually receive the malware. The researchers added that the server controlled by the attackers can send additional payload – referring to the malware that performs the actual malicious actions.

Researchers at ESET said they weren’t able to identify examples of payloads sent by the attackers as these payloads were only delivered to specific targets and it wasn’t possible to get them using a test machine. In November 2017, researchers at Volexityfound a similar set of compromised websites of individuals and organizations tied to the government, the media, human rights and civil society groups. The researchers, in these cases, found that the payloads downloaded unto the site visitor’s computer include a pop-up asking to approve OAuth access to the victim’s Google account. This tactic allows attackers to get access to the victim’s contacts and emails.

The recent watering hole attacks are reminiscent of the cyber-espionage campaign called “Epic Turla”. In August 2014, Kaspersky observed 100 compromised websites for watering hole attacks.

Once a computer is infected with the Epic malware, Kaspersky reported that the malware immediately connects to the command-and-control (C&C) server to deliver pre-configured series of commands for execution and custom lateral movement tools such as a keylogger – a malicious program aimed at stealing data by recording every keystroke made by a computer user.

Prevention and Mitigating Measures

Here are some cyber security measures in order to prevent or mitigate the effects of watering hole attacks:

• Keep all software up to date.
• Be wary of clicking pop-ups.
• Configure the devices or computers used by non-IT staff not to install programs. This is to prevent the employees from unknowingly installing malicious programs as a result of visiting websites used as intermediary targets for watering hole attacks or by clicking malicious links in phishing emails.
• Whitelist sites that can be visited by staff using their work devices or computers and regularly evaluate the security posture of these whitelisted sites. For the possibility that these sites might one day be used as intermediary targets for watering hole attacks, don’t allow downloads from these sites.