Watering hole attack

Last updated

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization's users frequent and then uses one or more of the websites to distribute malware. Eventually, some member of the targeted users will become infected. [1] [2] [3] Attackers looking for specific information may only target users coming from a specific IP address. This also makes the attacks harder to detect and research. [4] The name is derived from a strategy of predators in the natural world, who wait for an opportunity to attack their prey near watering holes. [5] The attack strategy was named in an RSA blog in 2012. [1] [6]

Contents

One of the most significant dangers of watering hole attacks is that they are executed via legitimate websites that cannot to be easily blacklisted. Also, the scripts and malware used in these attacks are often meticulously created, making it challenging for an antivirus software to identify them as threats. [7]

Examples

2011 Operation Torpedo

In Operation Torpedo, the United States government conducted an attack on 3 Tor websites. The FBI seized access to the websites and continued to run them for a 19 day period. During this time the websites were modified to serve up a NIT, which would attempt to unmask visitors by revealing their IP address, operating system and web browser. The NIT code was revealed as part of the case USA v Cottom et al. Researchers from University of Nebraska at Kearney and Dakota State University reviewed the NIT code and found that it was an Adobe Flash application that would ping a user's real IP address back to an FBI controlled server, rather than routing their traffic through the Tor network and protecting their identity. It used a technique from Metasploit's decloaking engine and only affected users who had not updated their Tor web browser. [8] [9] [10] [11]

2012 US Council on Foreign Relations

In December 2012, the Council on Foreign Relations website was found to be hosting malware targeting a zero-day vulnerability in Microsoft's Internet Explorer. In this attack, the malware was only deployed to users using Internet Explorer set to English, Chinese, Japanese, Korean and Russian. [12]

2013 Havex ICS software supply chain attack

Havex was discovered in 2013 and is one of five known Industrial Control System (ICS) tailored malware developed in the past decade. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe. [13] Havex exploited supply chain and watering-hole attacks on ICS vendor software in addition to spear phishing campaigns to gain access to victim systems. [14]

2013 US Department of Labor

In mid-early 2013, attackers used the United States Department of Labor website desalinate an exploit that gathered information on users that visited the website. This attack specifically targeted users visiting pages with nuclear-related content. [15]

2015 Operation Pacifier

In Operation Pacifier the U.S. government seized a Tor (network) website and installed a malware based "Network Investigative Technique" (NIT) to hack into the web browsers of users accessing the site, thereby revealing their identities. The operation led to the arrest of 956 site users and five prison sentences.[ citation needed ]

2016 Polish banks

In late 2016, a Polish bank discovered malware on the institution's computers. It is believed that the source of this malware was the web server of the Polish Financial Supervision Authority. There have been no reports on any financial losses as a result of this. [16]

2017 Montreal-based International Civil Aviation Organization attack

There was an organization-level watering-hole attack in Montreal from 2016-2017 by an unknown entity causing a data breach. [17]

2017 CCleaner attack

From August to September 2017, the installation binary of CCleaner distributed by the vendor's download servers included malware. CCleaner is a popular tool used to clean potentially unwanted files from Windows computers, widely used by security-minded users. The distributed installer binaries were signed with the developer's certificate making it likely that an attacker compromised the development or build environment and used this to insert malware. [18] [19]

2017 NotPetya attack

In June 2017, the NotPetya (also known as ExPetr) malware, believed to have originated in Ukraine, compromised a Ukrainian government website. The attack vector was from users of the site downloading it. The malware erases the contents of victims' hard drives. [20]

2018 Chinese country-level attack

There was a country-level watering-hole attack in China from late 2017 into March 2018, by the group "LuckyMouse" also known as "Iron Tiger", "EmissaryPanda", "APT 27" and "Threat Group-3390." [21]

2018 Controversy of U.S. mass surveillance/invasion of privacy

In the U.S. a joint civil suit filed by the American Civil Liberties Union (ACLU), Civil Liberties and Transparency Clinic, and Privacy International against various branches of the U.S. Government alleged that the U.S. government had been using watering hole attacks in a new mass invasion of privacy of ordinary citizens. Further, the nature of the civil suit was a failure to comport relevant documents as part of a FOIA request to the various agencies.ACLU and Privacy International et al v. United States Agencies docket available on Courtlistener.com

2019 Holy Water Campaign

In 2019, a watering-hole attack, called Holy Water Campaign, targeted Asian religious and charity groups. [22] Victims were prompted to update Adobe Flash which triggered the attack. It was creative and distinct due to its fast evolution. [23] The motive remains unclear. [23] Experts provided a detailed technical analysis along with a long list of Indicators of Compromise (IoCs) involved in the campaign, but none could be traced back to an Advanced Persistent Threat. [24]

Defense techniques

The targeted users can defend against the malware distributed in a watering hole attack, at least in the case of known vulnerabilities, by appling the latest software patches to remove vulnerabilities that would allow the target to be infected. Organisations, both targeted and running web servers can monitor their websites and networks and then block traffic if malicious content is detected. [25] Using defensive tools such as firewalls or anti-virus software on target devices may also protect from attacks. [26]


See also

References

  1. 1 2 Gragido, Will (20 July 2012). "Lions at the Watering Hole – The "VOHO" Affair". The RSA Blog. EMC Corporation.
  2. Haaster, Jelle Van; Gevers, Rickey; Sprengers, Martijn (2016-06-13). Cyber Guerilla. Syngress. p. 57. ISBN   9780128052846.
  3. Miller, Joseph B. (2014). Internet Technologies and Information Services, 2nd Edition. ABC-CLIO. p. 123. ISBN   9781610698863.
  4. Symantec. Internet Security Threat Report, April 2016, p. 38
  5. Rouse, Margaret. "What is watering hole attack?". SearchSecurity. Retrieved 2017-04-03.
  6. ŞCHEAU, Mircea Constantin; DINCĂ, Gerald (2015). CYBERATTACK- RISK FACTOR FOR FINANCIAL TRANSACTIONS. International Scientific Conference "Strategies XXI", suppl. Suppl_Command and Staff Faculty. Bucharest: ProQuest. Retrieved 2025-09-11.
  7. APOSTOL, Mihai; PALINIUC, Bogdan; MORAR, Rareș; VIDU, Florin (2022-05-18). "Malicious Strategy: Watering Hole Attacks". Romanian Cyber Security Journal. 4 (1): 29–37. doi: 10.54851/v4i1y202204 . ISSN   2668-6430.
  8. "Feds bust through huge Tor-hidden child porn site using questionable malware". Ars Technica. 2015-07-16. Retrieved 2020-01-19.
  9. Kevin Poulsen (Wired.com) (2015-06-30). "FBI Tor busting 227 1". Documentcloud.org. Retrieved 2020-01-19.
  10. Ashley Podhradsky (2017-01-17). "Scholarly Commons - Annual ADFSL Conference on Digital Forensics, Security and Law: Reverse Engineering a Nit That Unmasks Tor Users". Annual Adfsl Conference on Digital Forensics, Security and Law. Commons.erau.edu. Retrieved 2020-01-19.
  11. Poulsen, Kevin. "The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users". WIRED. Retrieved 2020-01-19.
  12. "Council on Foreign Relations Website Hit by Watering Hole Attack, IE Zero-Day Exploit". Threatpost . 2012-12-29. Retrieved 2017-04-02.
  13. "ICS Focused Malware". ics-cert.us-cert.gov. Retrieved 2020-12-09.
  14. "Full Disclosure of Havex Trojans". Netresec. 27 October 2014. Retrieved 2020-12-09.
  15. "Department of Labor Watering Hole Attack Confirmed to be 0-Day with Possible Advanced Reconnaissance Capabilities". blogs@Cisco - Cisco Blogs. 4 May 2013. Retrieved 2017-04-03.
  16. "Attackers target dozens of global banks with new malware". Symantec Security Response. Retrieved 2017-04-02.
  17. "'Patient zero' in cyberattack on UN aviation agency was senior official's son, email reveals | CBC News". 2023-02-20. Archived from the original on 2023-02-20. Retrieved 2023-12-26.
  18. "CCleanup: A Vast Number of Machines at Risk". blogs@Cisco - Cisco Blogs. Retrieved 2017-09-19.
  19. "Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users". blogs@Piriform - Piriform Blogs. Retrieved 2017-09-19.
  20. "Researchers Find BlackEnergy APT Links in ExPetr Code". 3 July 2017.
  21. "Chinese Hackers Carried Out Country-Level Watering Hole Attack".
  22. "Kaspersky uncovers a creative water hole attack discovered in the wild". Kaspersky. 26 May 2021.
  23. 1 2 "Holy water: ongoing targeted water-holing attack in Asia". securelist.com. 31 March 2020. Retrieved 2020-08-05.
  24. "Holy water: ongoing targeted water-holing attack in Asia". securelist.com. 31 March 2020. Retrieved 2022-02-03.
  25. Grimes, Roger A. "Watch out for waterhole attacks -- hackers' latest stealth weapon". InfoWorld. Retrieved 2017-04-03.
  26. Ismail, Khairun Ashikin; Singh, Manmeet Mahinderjit; Mustaffa, Norlia; Keikhosrokiani, Pantea; Zulkefli, Zakiah (2017-01-01). "Security Strategies for Hindering Watering Hole Cyber Crime Attack". Procedia Computer Science. 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia. 124: 656–663. doi: 10.1016/j.procs.2017.12.202 . ISSN   1877-0509.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.