What Is a Watering Hole Attack and How to Protect Yourself from It?
The online threat landscape is a really diverse place. At one end of the spectrum, you've got people with too much time on their hands trying to push badly thought-through scams and ad-infested applications that are little more than a nuisance. Then, you have moderately skilled hackers who know how to design an efficient infection vector and fool many people into inadvertently installing dangerous malware. Finally, you have the really big fish – sophisticated hacking crews (also referred to as Advanced Persistent Threat (APT) groups) that are often state-sponsored and are after specific, high-profile targets. To achieve their goals, these sophisticated groups sometimes deploy what has become known in the industry as a 'watering hole attack'.
The difference between regular hackers and state-sponsored threat actors
Compared to run-of-the-mill cybercriminals, the job of APTs is much more difficult. First of all, their targets are often large business or government organizations that know how valuable their IT infrastructure could be and have thought about its security. APT malware must be very good at fulfilling its tasks while remaining undetected, but even this might not be enough because deploying the said malware could involve going through the human factor.
In spray-and-pray campaigns targeting click-happy users, this isn't so much of a problem, but the victims of state-sponsored hackers could be much harder to fool. People working for big organizations often go through extensive cybersecurity training and are therefore much less likely to open random attachments or click links in emails. That's why, although it's not completely absent from APTs' arsenal, phishing in this environment might not be that effective. This is where watering hole attacks come in.
What is a watering hole attack?
One of the distinct characteristics of cybercriminal activities performed by APT groups is the fact that it's often based on careful studying of the target's daily routine. When they're preparing a watering hole attack, hackers use either reconnaissance tools or public information to learn more about the victim's browsing habits. They then compromise one or more of the websites the victim visits regularly and use it as an attack vector.
To minimize collateral damage and avoid detection, the malicious code hackers inject often checks every visitor's IP and triggers the infection only if it detects the address of the victim. That said, watering hole attacks can be aimed not only at a single target but at a group of organizations working in the same sector.
This is where the name of the watering hole attack comes from – just as predators lurk around real-life watering holes to attack their prey, hackers have enough information about the targets' online routines and are leveraging it to create an effective attack vector. Some of you might say that it sounds a bit far-fetched, but, as a portion of Poland's banking sector learned to its own cost a couple of years ago, it's anything but.
In 2017, "a few" commercial Polish banks noticed that something was not quite right with their computer systems. The experts were called in, and it soon became clear that all affected banks were hit by the same strain of previously undocumented malware. Further investigation revealed that the source of infection was the website of Poland's national financial regulator, and researchers from Symantec later noted that other hacking groups had used the same tools to pull off similar watering hole attacks in other parts of the world.
Preventing watering hole attacks
Watering hole attacks show that in the modern online world, not everything is up to you. Everyone uses third-party websites and services during their daily lives, and the fact that these third-party services can be compromised is what makes watering hole attacks possible. That being said, in most cases, the actual infection is dependent on exploit kits, and you have no excuse for not protecting yourself and your organization against this particular threat.
Up-to-date, fully-patched software and reputable security tools are obviously the first things that need to be in place, but they're probably not enough. As we've mentioned in the past, although exploit kits are mostly automated, they do sometimes rely on a bit of social engineering, and often, some basic technical knowledge could go a very long way. So, if you work for an organization that might be targeted by watering hole attacks, make sure the automatic updates for all the applications you use are turned on and try to keep your eyes peeled at all times.