Watering hole attacks

A lot of online attacks have cool technical names, like SQL injection or cross-site scripting attacks. The online attack we’re talking about today doesn’t. It’s called a watering hole attack, but it’s more of an attack strategy than a specific exploit. And while it doesn’t have a cool name, it still leads to a pretty sophisticated attack that can do a lot of damage. In this article we’ll find out all about watering hole attacks and how to prevent them.

What is a watering hole attack?

Watering hole attacks are similar to spear phishing attacks. They seek to achieve the same goal: persuading an unsuspecting victim to perform an action that will compromise their sensitive information. In a spear phishing attack, this would typically mean sending the victim a targeted email or instant message, prompting them to open an attachment or click on a link in order to compromise their information. In a watering hole attack scenario, there’s no need to lure the victim into compromising themselves.

A watering hole attack is a targeted online attack strategy. The attacker targets an organization and either guesses or observes which websites members of the organization frequently visit. The attacker then infects one or more of these legitimate websites with some form of malicious software, typically via a zero-day vulnerability. Sooner or later, an organization member’s device will become infected, at which point the attacker may gain access to their device and potentially to the organization’s network. As is the case with many, if not most, online attacks, the goal here is to steal personal information, banking details, and intellectual property and gain access to sensitive corporate systems and assets.

Sometimes, however, the attacker will combine both strategies (spear phishing and watering hole attack) to up their odds of success.

The name ‘watering hole attack’ is derived from a predation strategy used by many animals in the wild. The strategy consists in stalking its prey as it drinks from a watering hole, waiting for the opportune moment to attack.

Before we look at watering hole attacks in more detail, let’s just quickly cover zero-day exploits.

What are zero-day exploits?

A zero-day vulnerability is an exploitable security risk in a piece of software that is either not publicly known – not even by the software vendor, or one that is known but for which a patch has not yet been developed. Either way, there is no way to defend against it.

Vulnerabilities are inadvertently introduced in software as developers code their applications. While the vendor will, of course, try and catch as many vulnerabilities as they can, no vendor will ever catch them all. The vulnerabilities that the vendor does not detect or cannot patch are, by definition, zero-day vulnerabilities.

A zero-day exploit is a method used by an attacker to exploit the vulnerability and compromise the system. Zero-day exploits are quite severe and have a high success rate because the software vendor will not be aware of them, nor will the public.

Zero-day exploit example

You remember the infamous Sony hack, right? It was due to a zero-day vulnerability.

In late 2014, Sony Pictures fell victim to a zero-day vulnerability found on its website. While not much is known about the actual exploit used, The New York Times reported that the hackers used a spear phishing attack that embedded malicious code inside company emails. Clicking the link triggered the attack, exploiting the zero-day vulnerability in Sony’s website.

The attack managed to take down Sony’s network and access extremely sensitive information the company was holding, such as upcoming movie titles and details, the organization’s business plans, and emails and the email addresses of senior Sony executives. Much of the breached information was disseminated over the internet.

How do watering hole attacks work?

Here’s how a watering hole attack might work:

  1. The attacker starts by profiling members of the organization they’re targeting, whether a large corporation, a government agency, an activist group, etc. The attacker’s goal is to figure out which websites members of the organization frequently visit. These sites would typically be trade groups, message boards, industry conferences, etc.
  2. Once the attacker has a shortlist of frequently visited sites, they scan those sites for vulnerabilities.
  3. When the attacker finds a suitable vulnerability, they can then craft an exploit to compromise the website.
  4. The attacker then infects the website with their exploit. That would typically be by injecting some malicious HTML or Javascript code onto the website. The malicious code could, for example, redirect the victim to a fake website, which looks identical to the original site, but which is under the attacker’s control.
  5. From there, the attacker can obtain the victim’s sensitive information, such as banking details, corporate credentials, account numbers, sensitive documents, etc.

In some watering hole attacks, the victim’s device is infected with malware without them even realizing it. This is known as a drive-by attack. If the victim has a high level of trust in the site they’re visiting (or believe they’re visiting), they may well be comfortable downloading files from that website. But they might unwittingly download a Remote Access Trojan (RAT), which would give the attacker remote access to their device.

Examples of watering hole attacks

Facebook, Twitter, Microsoft, and Apple

In 2013, attackers were able to successfully compromise Facebook, Twitter, Microsoft, and Apple’s systems. This was part of an extensive watering hole operation that compromised websites that the employees of the above companies frequently visited. One of the exploited websites in this operation was iPhoneDevSDK.com. Visitors to the compromised websites were served with drive-by downloads of exploits for a zero-day vulnerability found in the Java browser plug-in that ran on both Windows and macOS.

LuckyMouse

From 2017 to 2018, a Chinese hacker group called LuckyMouse was behind a bold cyber espionage campaign. The campaign targeted a large national data center in central Asia with watering hole attacks to try and gain access to sensitive government information and assets. Members of LuckyMouse successfully injected malicious Javascript code into official government websites that the data center employees frequently consulted. That resulted in the victims being infected with a Remote Access Trojan, providing the attackers with remote access to the compromised systems.

EvilBamboo

In 2023, Tibetan, Uyghur, and Taiwanese organizations and individuals were targeted by a threat actor codenamed EvilBamboo. The attacker created fake Tibetan websites that contained browser-based exploits. EvilBamboo – which operates in accordance with Chinese state wishes – had previously used watering hole attacks to deliver spyware to Android and iOS devices.

ICAO

In 2016, the International Civil Aviation Organization (ICAO), an organization with ties to and in frequent contact with the United Nations – the target of this attack – to define civil aviation standards and regulations, fell victim to a watering hole attack. This attack was also attributed to the LuckyMouse hacker group. This time, the group was able to compromise two ICAO servers and the domain administrator and the systems administrator accounts. At least one of the UN’s member states’ websites, Turkey, was compromised within 30 minutes of the ICAO cyber-attack.

CCleaner

In 2017, hackers managed to insert malicious code in the yet unreleased update of CCleaner, unbeknownst to its software developers as they were coding the new version of the program. Because of this, the code was nonetheless signed by Piriform’s (CCleaner’s parent company) digital certificate, certifying that the update was from a legitimate CCleaner software developer. When unsuspecting users updated their software, they downloaded the malware-laden version and unwittingly compromised their devices. CCleaner is a tool used to clean unwanted “junk” files from Windows and macOS computers. Piriform estimates the number of affected users at 2.27 million.

Holy Water

In 2019, the Holy Water Campaign was deployed, a broad watering hole attack targeting Asian religious and charity groups. When victims visited one of the compromised websites, they were prompted to update the Adobe Flash Player on their device. As you may have guessed, this initiated a download-triggered attack, leaving the victim with an infected machine. The motive in this attack remains unclear to this day.

How to prevent watering hole attacks?

To prevent being used as a compromised website in a watering hole attack

By definition, you can’t protect yourself from a zero-day vulnerability exploit. You can’t defeat what you don’t know exists. However, there are ways to mitigate the risks.

Vulnerability Scanning

Set up and perform regular vulnerability scans. Again, this may not protect you against zero-day exploits because the vulnerability scanner vendor won’t be aware of it either. And scanning alone will never be enough in itself. Still, it’s worth doing for the ability to patch the vulnerabilities it does find and will also help in hardening your web server.

Security patches

Make sure to install security patches as soon as you can. Updated software is one of the best defenses against all types of online attacks. But a security patch won’t do much for you if an attacker crafts an exploit before the security update is applied. The longer the delay in applying the security update, the higher the risk of a zero-day attack occurring.

Input Validation

This is a big one, and it applies to more than zero-day exploits. Don’t trust user input on your website/application. If you require user input perform input validation to prevent malformed data from entering your system and potentially compromising it.

Bug bounty programs

Set up a bug bounty program to encourage security researchers to look for and disclose your software vulnerabilities rather than sell them on the black market. The cost of a bug bounty program is almost certainly going to be cheaper than having to deal with a breach.

To prevent your organization from falling victim to a watering hole attack

Opportunistic watering hole attacks may be discovered by web gateways that detect known attack signatures. But more often than not, these advanced attack vectors from sophisticated cybercriminals will require more dynamic security solutions that can detect, monitor, and block malicious activity and prevent users from accessing suspicious websites.

The following best practices will help organizations prevent their networks and users from falling prey to watering hole attacks:

Use a secure web gateway

It’s recommended to set up a secure web gateway (SWG). An SWG filters out web-based threats and enforces acceptable use policies. With an SWG, users first access the SWG instead of directly connecting to a website, which then connects them to the website, weeding out and blocking any offending network traffic. This helps ensure that members of the organization can browse the internet securely. It also helps prevent malware or rootkit downloads and blocks access to malicious sites – which is crucial in avoiding watering hole attacks.

Software updates

Keeping your systems and software updated and installing operating system patches as soon as they are available is essential in mitigating watering hole attacks and any other type of online attack. Updated software is your best bet in defending against the latest known software vulnerabilities in the applications you use online.

Untrusted traffic

Treat all traffic transiting over your organization’s network – especially third-party traffic – as untrusted until it’s validated as being legitimate. Not only will this enhance your organization’s resistance to many kinds of online threats, but it’s always good to be aware of what’s happening over your network. It also enables you to detect irregular traffic patterns.

Common sense tips to further help

These common-sense measures will help users avoid watering hole attacks and many other online threats.

  • Use a firewall – All major operating systems have a built-in incoming firewall, and all commercial routers on the market provide a built-in NAT firewall. Make sure these are enabled. They may protect you if you click a malicious link.
  • Only buy well-reviewed and genuine antivirus software from legitimate vendors and run frequent scans at regular intervals.
  • Never click on pop-ups. Ever. You never know where they’ll take you next.
  • If your browser displays a warning about a website you are trying to access, pay attention to that warning and get your information elsewhere.
  • Don’t open attachments in emails without confirming who the sender is and what the attachment is.
  • Don’t click links (URLs) in emails unless you specifically know who sent the URL and its destination. And even then, scrutinize the link. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. Does the link contain spelling errors (faceboook instead of facebook)? If you can get to the destination without using the link, do that instead.
  • Don’t reply to emails, text messages, or phone calls that request personal information. This is a classic sign of a phishing scam. And remember that legitimate organizations will never ask you to provide personal information when they contact you by email.

Conclusion

So those are the ins and outs of watering hole attacks. The attack itself is, once again, more of a multi-pronged strategy than a specific vulnerability and exploit. And because it tends to rely on zero-day vulnerabilities, you’ll want to do everything you can to limit your chances of having one crop up in your systems. But, unfortunately, your protection will never be 100%. The best you can hope for is better odds. And to do that, you should put as many of the above tips as you can into practice.

And keep in mind that there could always be a predator stalking you near your water holes…