With the changing IT environment and increasing security measures deployed by the organizations or individuals; the hackers have become smarter. There is a change in the mode of targeted attack; now hackers instead of using spear phishing they have started using watering holes. The aim of watering hole attacks is to run exploits on well-known and trusted sites likely to be visited by their targeted victims rather attacking the targeted victims directly. Watering hole attack was first identified in mid-2012 by RSA security in a campaign known as VOHO.
The watering hole technique relies on exploiting the zero-day vulnerability and infecting the legitimate websites which the attacker believes will be visited by its targeted end user. In this technique, the attacker chooses a website that doesn't have massive viewers but rather cater to a specific group of user. The attacker gathers information of the target users and frequently visited web sites by them and then poisoned those web sites with the exploits. When the target user access the compromised sites, user’s computer is assessed for the right set of vulnerabilities and if they exist the exploit is executed and infects the user’s system mostly with Remote Access Trojan(RAT). Thus the attacker gains access to sensitive information in the target organization. Most common industry sectors targeted by the attackers through watering hole attack are:
- Defence sectors
- Academic sectors
- Government organizations
- Financial services
- Healthcare industry
- Utilities sectors
The watering hole attack is quite successful because the attackers are compromising legitimate websites and that most often cannot be blacklisted, and are often exploiting the zero-day vulnerability for which there are no antivirus or IDS signatures available.
Following are the major challenges faced by the organization to detect and defend from watering hole attack.
Legitimate Source: Mostly the source of the attack is a trusted so the traffics from these sources are considered to be legitimate and therefore the attacker is able to successfully evade the security.
Multi-vendor Environment: With expanding enterprise and multiple vendors supporting the IT infrastructure of the organization, it is difficult to manage the access policies.
Mobile Users: Associates having mobile profile often uses personal devices for work-related activities and also connect from an unsecured network.
However, it is difficult to detect the attempt of watering hole attack but few measures should be taken to prevent it. Followings are some preventive measures of watering hole attack.
Regular Patch/Version Update: The process should be there to ensure regular patching and version upgrade of the software/application.
Proactive Network Traffic Monitoring: Build a team which will monitor the IT infrastructure traffics/logs to identify any suspicious activity based on behavioral analysis along with signature based alerts.
With more security implemented by the organizations to prevent phishing and other web-based attacks, bad actors are finding other ways to prey their victims into visiting malware-laden websites and watering hole attack is one of them. In watering hole attack method, the attacker exploits vulnerabilities of the low secured websites which is often visited by its target victims and thus succeeding in infecting them to gain access. While detection of watering hole attack is difficult, it is important for the organizations to ensure that the systems and applications are updated and patched regularly and also put network traffic monitoring in place. Also, organizations should secure their websites so that it can’t be used as the platform for watering hole attacks.
Authored By - Hemant Sudhanshu
TCS Enterprise Security and Risk Management
Rate this article: