1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

9/17/2019

0 Comments

What Are Watering Hole Attacks & How to Prevent Such Attacks

 
watering hole attacks

What Are Watering Hole Attacks & How to Prevent Such Attacks

Watering hole attacks are becoming more and more popular as these allow malicious actors to compromise intermediary targets to gain access to their intended final targets.

What Is Watering Hole Attack and How It Works

In a watering hole attack, a malicious actor compromises a third-party service, such as a publicly available website, in order to get access to the intended final target. There are various reasons why threat actors attack third-party services instead of the intended final targets. It could be that the intended final targets have stronger cyber defences, while third-party services lack the necessary cyber defences.

In watering hole attacks, threat actors study the employees of the intended final targets, such as finding out what sites these employees often visit. These sites are then analysed.

Sites with weak defences are often targeted, injecting these sites with malicious software (malware) or redirecting visitors to sites controlled by the attackers, leading to the downloading of the malware when these employees visit these sites. Attackers may also nudge an employee into visiting the compromised website or the URL they control by tricking the employee to click on the malicious link contained in a phishing email.

Once inside an employee’s device, threat actors then move toward the intended final target.

Examples of Watering Hole Attacks

The recent disclosure by researchers at Google's Threat Analysis Groupabout a small collection of compromised websites used in watering hole attacks which ultimately targets site visitors using certain versions of iPhones highlights the growing danger of watering hole attacks.

Researchers at Google's Threat Analysis Group revealed that over a period of at least two years, almost every version of iOS 10 through iOS 12 was potentially vulnerable when users visit a small collection of compromised websites. Simply visiting the compromised site, the researchers said, was enough for the exploit server to attack the vulnerable iPhones and install a malicious code that monitors the users’ activities.

The researchers estimated that the compromised sites receive thousands of visitors each week. In attacking the specific versions of iPhones, researchers at Google's Threat Analysis Group said, they identified a total of 14 security vulnerabilities: 7 for the iPhone’s web browser, 5 for the kernel and 2 separate sandbox escapes.

Other Cases of Legitimate Sites Used for Watering Hole Attacks

In late February and early March this year, reports came out that the website of International Civil Aviation Organization (ICAO) was used as an intermediary target for a watering hole attack where the intended final targets were ICAO members. Montreal, Canada-based ICAO is a specialized agency of the United Nations that codifies the principles and techniques of international air navigation.

In November 2018, researchers at ESETreported that 21 distinct websites in Vietnam and Cambodia, including Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper websites, were used as intermediary targets in watering hole attacks.

According to the researchers, the modus operandi is similar on all compromised websites in which the attackers add a small piece of malicious code on the compromised websites. While not applicable in all cases, the researchers reported that the code injected into the compromised websites checks for the visitor’s location, and only visitors from Vietnam and Cambodia actually receive the malware. The researchers added that the server controlled by the attackers can send additional payload – referring to the malware that performs the actual malicious actions.

Researchers at ESET said they weren’t able to identify examples of payloads sent by the attackers as these payloads were only delivered to specific targets and it wasn’t possible to get them using a test machine. In November 2017, researchers at Volexityfound a similar set of compromised websites of individuals and organizations tied to the government, the media, human rights and civil society groups. The researchers, in these cases, found that the payloads downloaded unto the site visitor’s computer include a pop-up asking to approve OAuth access to the victim’s Google account. This tactic allows attackers to get access to the victim’s contacts and emails.

The recent watering hole attacks are reminiscent of the cyber-espionage campaign called “Epic Turla”. In August 2014, Kaspersky observed 100 compromised websites for watering hole attacks.

Once a computer is infected with the Epic malware, Kaspersky reported that the malware immediately connects to the command-and-control (C&C) server to deliver pre-configured series of commands for execution and custom lateral movement tools such as a keylogger – a malicious program aimed at stealing data by recording every keystroke made by a computer user.

Prevention and Mitigating Measures

Here are some cyber security measures in order to prevent or mitigate the effects of watering hole attacks:

  • Keep all software up to date.
  • Be wary of clicking pop-ups.
  • Configure the devices or computers used by non-IT staff not to install programs. This is to prevent the employees from unknowingly installing malicious programs as a result of visiting websites used as intermediary targets for watering hole attacks or by clicking malicious links in phishing emails.
  • Whitelist sites that can be visited by staff using their work devices or computers and regularly evaluate the security posture of these whitelisted sites. For the possibility that these sites might one day be used as intermediary targets for watering hole attacks, don’t allow downloads from these sites.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit