Email Security

    What Is a Watering Hole Attack and How to Prevent It?

    Just like a lion attacking an antelope at its favorite watering hole, cybercriminals are lurking on your favorite websites and tools

    by Giulian Garruba

    Key Points

    • Having used a website often, watering hole attack victims rarely think twice about its security, leaving them vulnerable to surprise attacks from a variety of sources.
    • Usually, watering hole attacks are staged across four steps that aim to monitor, analyze, and execute one of many types of web-borne exploits.
    • Identifying watering hole attacks can be straightforward with the proper education, intelligence, and tools.

    Cyberattacks have exponentially increased in sophistication over the past decade, leaving many organizations struggling to maintain network and data security as new, previously unknown threats arise. Terms such as malwarephishing, and even denial-of-service attacks are familiar to most people. However, other terms such as watering hole attacks may be entirely new.

    Here, we investigate what watering hole attacks are, how they work, and how you and your organization can raise awareness of the threats posed and protect against them.

    How do Watering Hole Attacks Work?

    Watering hole attacks, sometimes known as watering hole phishing, take their namesake inspiration from the wild, such as when a predator strikes its prey as it stops by a watering hole to drink. Think about a lion hiding at a popular watering hole on the savanna, pouncing as an unsuspecting antelope stoops to drink. The antelope is an easy target but the watering hole is also a place where all kinds of animals regularly congregate. 

    The reason for this analogy becomes clear when we define a watering hole attack in the context of cybersecurity. Threat actors aim to strike their targets where they congregate, commonly on websites frequently used by the target. Having used that website often, the target rarely thinks twice about its security, leaving them vulnerable to surprise attacks from a variety of sources.

    The concept behind watering hole attacks is clear, but the methods used by cyberattackers to implement and profit from them are also essential to understand. Usually, watering hole attacks are staged across four steps that aim to monitor, analyze, and execute one of many types of web-borne exploits. Commonly, these steps include:

    Gather Intelligence Through Tracking 

    Watering hole attackers begin by identifying a target and gathering intelligence on their web browsing habits. This might be frequently visited public sites, websites specific to the company or industry, or even tools such as webmail and cloud storage. Threat actors use a range of tools to gather this intelligence, including search engines, social media pages, website demographic data, social engineering, spyware, and keyloggers.

    Analyze Websites for Vulnerabilities 

    Once viable targets have been identified, cyberattackers then begin to analyze the list of websites for weaknesses and vulnerabilities at the domain and subdomain levels. Additionally, website clones may be created to fool the target into believing they are using the official site. Sometimes, both are used in tandem, compromising a legitimate site to lead targets to a malicious page.

    Prepare Exploits and Infect Target Websites 

    Web-borne exploits are used to infect the websites commonly used by the target. Focusing on technologies such as ActiveX, HTML, JavaScript, images, and other vectors, cyberattackers aim to compromise browsers used by the target. Sophisticated attacks may even allow actors to infect visitors with specific IP addresses.

    Wait for the Target to Unsuspectingly Download Malware

    The watering hole phishing infrastructure is now in place, and malicious actors only need to wait for the malware to activate. This happens when the target's browser unsuspectingly downloads and automatically runs the pre-placed software from the compromised sites. This works since web browsers often indiscriminately download code to computers and devices. 

    How water hole attacks work.png
    Infographic Explaining How Watering Hole Attacks Work

    How Individuals Can Protect Themselves Against Watering Hole Attacks

    Watering hole attack prevention for individuals consists of maintaining good cybersecurity practices every time you are online. This means being careful where and what you click while browsing the web and ensuring high-quality antivirus software is installed and regularly updated. Browser protection apps and VPNs can also be helpful, alerting users to potentially malicious sites or downloads and blocking them entirely where necessary. 

    How Businesses Can Protect Themselves Against Watering Hole Attacks

    Businesses can take a more robust approach to watering hole attack prevention through various advanced cybersecurity tools and protocols. These include:

    • Raising awareness of watering hole attacks and educating staff through human-risk-centric security awareness and training programs to enable them to detect suspicious activity more quickly.
    • Ensuring all software, including non-security software, is kept up to date. Watering hole attacks actively search out vulnerabilities, so regular vulnerability scans and security patches are a critical line of defense.
    • Using secure web gateways to filter out web-based threats and enforce acceptable use policies. An secure web gateway acts as a middleman between the user and the external website, blocking malicious network traffic and allowing staff to browse securely.
    • Ensuring all traffic that passes through the organization's network is treated as untrustworthy until it has been validated.
    • Using endpoint detection and response tools to protect your organization from emerging malware threats. 
    How To Prevent Watering Hole Attacks.png
    Infographics on How to Prevent Watering Attacks from Happening

    Examples of Watering Hole Attacks

    In the past, watering hole attacks have targeted high-profile organizations that have supposedly implemented top-of-the-line cybersecurity protection. This means that any type of organization can be vulnerable to these advanced persistent threats (APTs). Here are some concrete examples of high-profile watering hole attacks:

    2012 – American Council on Foreign Relations

    Through an Internet Explorer exploit, cyberattackers infected the CFR. Watering hole phishing targeted those browsers only using certain languages that could be exploited. 

    2016 – Polish Financial Authority

    Targeting over 31 countries, including Poland, the United States, and Mexico, researchers discovered an exploit kit that had been embedded in the Polish Financial Authority's web server. 

    2019 – Holy Water

    By embedding a malicious Adobe Flash pop-up that triggered a download attack, dozens of religious, charity, and volunteer websites were infected. 

    2020 – SolarWinds

    IT company SolarWinds was the target of a far-reaching watering hole attack that ran for a long time. After months of cyber intelligence work, it was uncovered that state-sponsored agents were using watering hole phishing to spy on cybersecurity companies, the Treasury Department, Homeland Security, and more.

    2021 – Hong Kong

    Google's Threat Analysis Group identified numerous watering hole attacks focusing on users who visited media and pro-democracy websites in Hong Kong. Once successful, the malware would go on to install a backdoor on individuals using Apple devices.

    How to Tell If You've Been the Victim of a Watering Hole Attack

    Since watering hole attacks are, by design, supposed to trick us into believing we are visiting a trusted website or legitimate source, they can be difficult to identify immediately. If you haven't realized the attack has happened at its source in real time, then the next likely indicator will be that your networks begin to act differently, and data goes missing or is no longer accessible. For these reasons, ensuring extra vigilance with zero-day exploits is critical, as these are the most common vectors for watering hole phishing.

    The Bottom Line

    Perhaps the most concerning thing about watering hole attacks is that they persistently target places individuals and organizations people have grown to trust. However, identifying this specific cyberattack can be straightforward with the proper education, intelligence, and tools. Remember, cybersecurity best practices are there for a reason and should be used without fail.

    Watering Hole Attack FAQs

    Can small businesses be targets of watering hole attacks?

    Yes, small businesses are often targets of watering hole attacks due to typically having less robust cybersecurity measures compared to larger organizations. Attackers know that small businesses may lack dedicated IT security teams or the resources to continuously monitor and patch vulnerabilities, making them easier to exploit. Additionally, small businesses often work with larger companies as vendors or partners, providing cybercriminals with a potential backdoor into these larger organizations. Therefore, small businesses must be vigilant and implement strong cybersecurity protocols to protect themselves against watering hole attacks.

    What are the characteristics of a watering hole attack?

    Watering hole attacks often involve various types of malware, each serving a different purpose in the attack chain:

    1. Trojan Horse: This is a type of malware disguised as legitimate software. Once installed, it allows attackers to gain unauthorized access to the victim's system.
    2. Keyloggers: These tools record keystrokes made by the user, allowing attackers to capture sensitive information such as login credentials and personal data.
    3. Ransomware: Some watering hole attacks deliver ransomware, which encrypts the victim's data and demands payment for its decryption.
    4. Spyware: This type of malware secretly monitors the victim's activities, collecting information like browsing habits, passwords, and other personal details.
    5. Rootkits: Rootkits are used to gain root-level access to the victim’s system, allowing attackers to control the system remotely and evade detection by security software.
    6. Backdoors: These allow attackers to bypass normal authentication processes, giving them persistent access to the system even after the initial attack is over.

    What is the difference between watering hole attacks and spear phishing?

    While both watering hole attacks and spear phishing are targeted attacks, they differ significantly in their approach and execution:

    1. Method of Attack:
      • Watering Hole Attack: This involves compromising a legitimate website that the target frequently visits. The victim is unaware that their trusted site has been infected with malware.
      • Spear Phishing: This involves sending a targeted, often personalized, email to the victim, tricking them into clicking a malicious link or downloading an infected attachment.
    2. Point of Entry:
      • Watering Hole Attack: This involves compromising a legitimate website that the target frequently visits. The victim is unaware that their trusted site has been infected with malware.
      • Spear Phishing: This involves sending a targeted, often personalized, email to the victim, tricking them into clicking a malicious link or downloading an infected attachment.
    3. Level of User Interaction:
      • Watering Hole Attack: The victim may not have to perform any specific action other than visiting the compromised site. Malware can be downloaded and executed automatically.
      • Spear Phishing: The victim must actively interact with the phishing email, such as clicking a link or downloading an attachment, to initiate the attack.
    4. Complexity:
      • Watering Hole Attack: This is often more complex and requires the attacker to identify and compromise a third-party website.
      • Spear Phishing: This can be simpler, requiring only a convincing email and a malicious payload.

     

     

    **This blog was originally published on March 12, 2022.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page