It is predicted by cybersecurity professionals that almost forgotten “Watering Hole” attacks will be one of the major threats to our digital well-being in 2018. These attacks recently re-emerged after almost three years and are now, in its more sophisticated version, gaining in popularity among e-criminals.
The cybersecurity professionals now that the “Watering Hole” attacks are neither new nor common. However, these attacks frequently resurface and can cause widespread damage. According to an article by Reuters a few months ago, which cited the Symantec report, a North Korean hacking group known as Lazarus was likely behind a cyber campaign targeting organizations in 31 countries, following high-profile attacks on Bangladesh Bank, Sony and South Korea.
Using indication by the tools, domains, tactics of the attackers and target victim, the Kaspersky Lab has most recently published a report on the activities of the hacking group LuckyMouse (also known as Iron Tiger or Threat Group-3390). This group used the Watering Hole to attack the national data centre of an unknown Central Asian country, eventually gaining access to a number of government resources.
A recent, textbook type attack, on a leading Hong Kong Telecommunications company, prompted the researchers from the Morphisec Labs to alert the cybersecurity community on re-appearance of the “Watering Hole” attacks.
Also recently, the Polish Financial Supervision Authority has been infected by the “Watering Hole” attack as well as the National Banking and the Stock Commission of Mexico and a state-owned bank in Uruguay – and the list goes on.
What is the “Watering Hole” attack?
The phrase “Watering Hole” attack comes from predators in the natural world that lurk near Watering Holes, waiting for their unsuspicious prey. In a digital world, the “Watering Hole” attack happens when cybercriminals set traps in websites which their target victims are visiting frequently.
In other words, a “Watering Hole” attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user’s computer and gain access to the network at the target’s place of employment.
Watering Hole attacks often employ fresh exploits to remain undetected – either zero-days or one-day exploits. The attack usually follows these steps:
- The attacker initially gathers information about the websites that are frequently visited by the prospective victims. These can be the websites of local coffee shops or the sites that are focused on a particular industry.
- The attacker then explores these websites in order to identify possible weaknesses and vulnerabilities that can be successfully exploited for the “Watering Hole” attack.
- The attacker subsequently compromises the vulnerable websites by using appropriate tools and techniques, which redirects the victim to an alternate website that hosts the malware.
- Once activated, this malware tries to find weaknesses and vulnerabilities on the victim’s browser in order to exploit them.
- If such vulnerabilities and weaknesses are discovered on the victim’s browser or computer, the final phase of the attack is installing the malicious software on the victim’s computer.
Once under attacker’s control, the infected machine can be used for various felonious activities.
Defending against “Watering Hole” Attacks
The defence against “Watering Hole” attack is not as easy as training the employees to recognise phishing attacks. While the workforce can be trained to avoid common phishing attacks, the discovering a compromised website requires a considerable technical knowledge and the use of particular tools.
There are, however, some common practices that can help organisations to protect against “Watering Hole” attacks. It is, first of all, highly important to have a reliable network and endpoint security protection. This protection must be able to detect so-called “zero–day” or “one-day” exploitation malware. In other words, the protection software should be able to stop all traffic that is not appropriately verified.
Furthermore, firewalls should be updated and properly configured. In addition, all operating systems and the software in use in the entire organisation should be regularly updated and patched for the security hols. In this regard, all organisational websites should be inspected for possible vulnerabilities.
When the Watering Hole attack is in question, it is of the utmost importance to explore all websites that the employees are regularly visiting and check the trustworthiness of these sites. If the websites are found unreliable, the traffic to and from these sites should be immediately blocked and a warning sent to all interested parties.
Hiding the online activities is yet another way for protecting against “Watering Hole” attacks. This can be done by using Virtual Private Networks (VPNs) and the browser’s private browsing feature.
Educating employees regarding “Watering Hole” attacks, especially those with access to critical data and infrastructure, must be a part of the organisational comprehensive cybersecurity training and awareness programmes. As mentioned earlier, this training is not a straightforward task – hence, do configure browsers to use website reputation services to notify users of dangerous websites. These services help to ensure that the pages which employees access are safe and free from web threats, such as malware, spyware, and phishing scams that are designed to trick users into providing personal information.