What is a ‘Watering Hole’ Attack?

Poisoning the Water

A watering hole attack is a targeted, ‘supply chain,’ cyber-attack strategy, similar to spear phishing. With this strategy, the attacker identifies a website that’s frequented by users of a targeted organisation, or entire sector. The attacker then infects the website(s) with malware and identifies weaknesses in the main target’s cyber-security. The attacker then manipulates the ‘watering hole’ site to deliver that malware, such as a Remote Access Trojan (RAT), so that it can exploit these weaknesses.

When a member of the target organisation’s device becomes infected (like drinking from a poisoned watering hole, hence the name) in a way that the target will not notice (also known as ‘drive-by’), the attacker can then gain access to the infected device. This can, in turn, enable the attacker to access the target organisation’s network

Stealing and Spying

The goal(s) of this strategy, as with other strategies is/are to steal personal information, banking details, and intellectual property, and/or to conduct espionage. Also, it can enable the attacker to access corporate systems and assets, and potentially gain further details for even more cyber-attacks.

Examples of Watering Hole Attacks

Examples of watering hole attacks include:

• The VOHO multi-phase Campaign. Back in 2012, attackers compromised a local government website in Maryland and a regional bank in Massachusetts, along with other sites related to the promotion of democracy in oppressed regions. The targets were organisations related to financial services, government agencies, and the defence industry, and the attack involved the use of re-directs and infection by Gh0st RAT malware. The attack saw 32,000 visitors from 731 unique global organisations being re-directed to an exploit site where around 4,000 hosts are believed to have downloaded exploit files, leading to a staggering 12 per cent success rate for the attackers.
• From 2017 to 2018, a country-level watering-hole attack was launched in China by the “LuckyMouse”/ “Iron Tiger” group. This espionage campaign was reported to have targeted a national data centre of an unnamed central Asian country. The attackers injected malicious JavaScript code into the official government websites.
• The 2019 ‘Holy Water’ attack targeted Asian religious and charity groups. The attackers used an Adobe Flash update prompt to trigger the malware download. Although the motive was unclear, the attack may have been used for espionage.

How to Protect Your Business From Watering Hole Attacks

Ways that you can protect your business from watering hole attacks include:

• Keep anti-virus and software patches up to date.
• Use browser-based security tools to inform users of bad sites (bad reputation) and extra malware protection.
• Have a good email protection solution and consider using a secure web gateway (SWG) to filter out suspect traffic.
• Regularly inspect and monitor websites that are most visited by employees with a focus on malware detection. Also, have a procedure in place to quickly inform employees not to visit sites that have been identified as compromised.
• Check traffic from all third party and external sites before allowing employee access.
• Assess, know, and control the full extent of your supply chain (a watering hole attack is a supply chain attack).
• Educate/inform and train employees about the nature of the threat and how to avoid it.
• Never click on unknown/suspect links in emails or websites and exercise caution at all times when browsing.
• Consider adopting a ‘zero trust ‘security approach for the business/organisation.

What Does This Mean for Your Business?

This is broadly a supply-chain-related attack (web resources) where instead of actively hacking or sending phishing emails, the criminals set traps for unsuspecting victims to walk into. In this respect, it is less obvious for businesses to spot. The first step is recognising and raising awareness of the threat. Following normal security good practice is always helpful plus some additional measures in this case such as identifying, regularly inspecting and monitoring websites that are most visited by employees and focusing on what additional malware protection can be added to employees’ browsers and devices. With an increasing number of more complex and inventive attack methods, many businesses are shifting to a complete ‘Zero Trust’ approach for their IT security. A more data-centred rather than ‘moat and castle’ view of IT security gives companies greater holistic control and reduces the potential for the kind of gaps that cybercriminals can exploit with strategies like watering hole attacks.

For IT support and Cyber Security guidance, please call Paradise Computing on 01604 655900 or send us a message using our online contact form.