Watering Hole Attack
What is a Watering Hole Attack?
A watering hole attack is a form of cyberattack that targets groups of users by infecting websites that they commonly visit. This watering hole definition takes its name from animal predators that lurk by watering holes waiting for an opportunity to attack prey when their guard is down. Likewise, watering hole attackers lurk on niche websites waiting for a chance to infect websites, and in turn, infect their victims with malware.
A watering hole attack differs from phishing and spear-phishing attacks, which typically attempt to steal data or install malware onto users’ devices but are often equally targeted, effective, and challenging to prevent. Instead, a watering hole attack aims to infect users’ computers then gain access to a connected corporate network. Cyber criminals use this attack vector to steal personal information, banking details, and intellectual property, as well as gain unauthorized access to sensitive corporate systems.
Watering hole attacks are relatively rare, but they continue to have a high success rate. That is because they target legitimate websites that cannot be blacklisted, and cyber criminals deploy zero-day exploits that antivirus detectors and scanners will not pick up. Therefore, watering hole attacks are a significant threat to organizations and users that do not follow security best practices.
How Does a Watering Hole Attack Work?
In a watering hole attack, cyber criminals lurk on legitimate websites and wait for an opportunity to target victims. Attackers looking for financial gain or to build a botnet can compromise popular consumer websites. Typically, attackers will target public websites frequented by professionals from specific industries, such as discussion boards, industry conferences, and industry-standard bodies.
The attacker starts by profiling their targets, who are often employees of large organizations, government agencies, or human rights groups, and discover the types of websites they tend to visit most frequently. The attacker searches for a vulnerability within a site, creates an exploit to compromise it, infects the website, and lurks in wait for a victim. They will often infect a website by injecting it with malicious Hypertext Markup Language (HTML) or JavaScript code, which redirects victims to a particular, most likely spoofed website that hosts the attacker’s malware.
Some watering hole attacks will see a cyber criminal deliver and install malware without the victim realizing it, commonly known as a drive-by attack. This relies on the user having trust in the website they visit, to the extent that they will download a file without realizing it has been infected with malware. In this case, the attacker is likely to use malware like a Remote Access Trojan (RAT), which gives them remote access to the victim’s computer.
What Can You Do To Prevent Such Attacks?
Opportunistic watering hole attacks may be discovered by web gateways that detect known attack signatures. But more often than not, these advanced attack vectors from sophisticated cyber criminals will require more dynamic security solutions that can detect, monitor, and block malicious activity and prevent users from accessing suspicious websites.
The following best practices will help organizations prevent their networks and users from falling prey to watering hole attacks:
- Regular security testing: Organizations need to regularly test security solutions to verify that they provide the necessary defense level. This ensures that users always browse the internet securely, prevents intentional and unintentional downloads of malware or rootkits, and stops users from accessing infected or malicious websites.
- Advanced threat protection: Security solutions that protect organizations against advanced attack vectors are crucial to preventing watering hole attacks. Advanced threat protection tools include behavioral analysis solutions, which give organizations a better chance of detecting zero-day exploits before attackers can target users.
- System and software updates: An essential best practice for avoiding watering hole attacks is to update systems and software and install operating system patches as soon as they are made available by vendors. Attackers infect websites by discovering vulnerabilities in their code, making it imperative to spot flaws or gaps in software before cyber criminals find them.
- Treat all traffic as untrusted: Organizations need to consider all traffic to be untrusted until verified as legitimate. This is especially important with third-party traffic and should be a standard approach to internet traffic, regardless of whether it has come from partner websites or popular internet properties like Google domains.
- Test and secure against exposure: Secure web gateways (SWGs) help organizations enforce their internet access policies and filter unwanted or malicious software from reaching user-initiated internet connections. This is crucial with the rise in the Internet-of-Things (IoT) and cloud applications, which increase organizations’ attack surfaces. SWGs protect organizations from external and internal threats with application control, Uniform Resource Locator (URL) filtering, data loss prevention (DLP), remote browser isolation, and deep Hypertext Transfer Protocol Secure (HTTPS) inspection. These solutions are crucial to protecting businesses from the risk of advanced cybersecurity threats like watering hole attacks.
Watering Hole Attack Statistics—Who Has Been Affected?
Major news organization Forbes was the victim of a watering hole attack launched by a Chinese hacking group in 2015. The campaign exploited zero-day vulnerabilities in Internet Explorer and Adobe Flash Player to show malicious versions of Forbes’ "Thought of the Day” feature, which loaded through a Flash widget whenever a visitor accessed a page on the site. This enabled the watering hole attack to infect any vulnerable devices that visited the Forbes website.
FortiGuard Labs discovered a watering hole attack targeting the community of a U.S.-based Chinese news site in August 2019. The attack exploited known vulnerabilities in WinRAR and Rich Text Format (RTF) files, which used various techniques, tools, and backdoor functionalities to target victims.
Another advanced example of watering hole attacks was an exploit of Microsoft’s Visual Basic Script (VBScript) programming language to spread unique malware in February 2019. The threat, which Trend Micro researchers discovered, downloaded a "gist" snippet from GitHub, modified the code to create an exploit, and used a multistage infection scheme that included a backdoor unknown to antivirus products. The malware connected to private Slack channels to lure victims, which required sophisticated hacking techniques.
How Fortinet Can Help
The Fortinet cybersecurity suite helps organizations prevent advanced attacks and cyber espionage, avoid the risk of software vulnerabilities, and block sophisticated malware.
The Fortinet FortiGate next-generation firewalls (NGFWs) filter and monitor network traffic to protect businesses from external and internal threats. They include crucial features like Internet Protocol (IP) mapping, packet filtering, IP security (IPsec), and secure sockets layer virtual private network (SSL VPN) support. Fortinet NGFWs identify and block advanced attacks and malware through application control, intrusion prevention, SSL inspection, and advanced visibility of organizations’ entire attack surface. The firewalls also provide future update capabilities, ensuring organizations’ security defenses evolve in line with the modern threat landscape.
The Fortinet FortiSandbox solution also provides protection from zero-day threats. FortiSandbox confines application actions to safe, isolated environments that analyze interactions and discover any malicious intent. As a result, the malware will only affect the sandbox rather than the devices and users connected to corporate networks.
Fortinet provides comprehensive protection against advanced attacks and cyber espionage techniques through threat intelligence from FortiGuard Labs, supporting solutions like email security, web application security, and FortiClient endpoint protection.
