Watering hole attack

Last updated

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. [1] [2] [3] Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. [4] The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes. [5]

Contents

One of the most significant dangers of watering hole attacks is that they are executed via legitimate websites that are unable to be easily blacklisted. Also, the scripts and malware used in these attacks are often meticulously created, making it challenging for an antivirus software to identify them as threats. [6]

Defense techniques

Websites are often infected through zero-day vulnerabilities on browsers or other software. [4] A defense against known vulnerabilities is to apply the latest software patches to remove the vulnerability that allowed the site to be infected. This is assisted by users to ensure that all of their software is running the latest version. An additional defense is for companies to monitor their websites and networks and then block traffic if malicious content is detected. [7] Other defense techniques include utilizing complex passwords and passkeys to access websites as well as biometric information to protect data from attacks. Utilizing web injections such as firewalls or downloading anti-virus software on to devices can also protect from attacks. [8] Additionally, websites can enhance protection by disabling or removing vulnerable software, such as Flash and Adobe Reader, which are commonly targeted in cyber attacks.

Examples

2011

2012 US Council on Foreign Relations

In December 2012, the Council on Foreign Relations website was found to be infected with malware through a zero-day vulnerability in Microsoft's Internet Explorer. In this attack, the malware was only deployed to users using Internet Explorer set to English, Chinese, Japanese, Korean and Russian. [13]

2013 Havex ICS software supply chain attack

Havex was discovered in 2013 and is one of five known Industrial Control System (ICS) tailored malware developed in the past decade. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe. [14] Havex exploited supply chain and watering-hole attacks on ICS vendor software in addition to spear phishing campaigns to gain access to victim systems. [15]

2013 US Department of Labor

In mid-early 2013, attackers used the United States Department of Labor website to gather information on users that visited the website. This attack specifically targeted users visiting pages with nuclear-related content. [16]

2015

2016 Polish banks

In late 2016, a Polish bank discovered malware on the institution's computers. It is believed that the source of this malware was the web server of the Polish Financial Supervision Authority. There have been no reports on any financial losses as a result of this [17]

2017 Montreal-based International Civil Aviation Organization attack

There was an organization-level watering-hole attack in Montreal from 2016-2017 by an unknown entity causing a data breach. [18]

2017 CCleaner attack

From August to September 2017, the installation binary of CCleaner distributed by the vendor's download servers included malware. CCleaner is a popular tool used to clean potentially unwanted files from Windows computers, widely used by security-minded users. The distributed installer binaries were signed with the developer's certificate making it likely that an attacker compromised the development or build environment and used this to insert malware. [19] [20]

2017 NotPetya attack

In June 2017, the NotPetya (also known as ExPetr) malware, believed to have originated in Ukraine, compromised a Ukrainian government website. The attack vector was from users of the site downloading it. The malware erases the contents of victims' hard drives. [21]

2018 Chinese country-level attack

There was a country-level watering-hole attack in China from late 2017 into March 2018, by the group "LuckyMouse" also known as "Iron Tiger", "EmissaryPanda", "APT 27" and "Threat Group-3390." [22]

2019 Holy Water Campaign

In 2019, a watering-hole attack, called Holy Water Campaign, targeted Asian religious and charity groups. [23] Victims were prompted to update Adobe Flash which triggered the attack. It was creative and distinct due to its fast evolution. [24] The motive remains unclear. [24] Experts provided a detailed technical analysis along with a long list of Indicators of Compromise (IoCs) involved in the campaign, but none could be traced back to an Advanced Persistent Threat. [25]

Controversy of U.S. mass surveillance/invasion of privacy

In the U.S. a joint civil suit filed by the American Civil Liberties Union (ACLU), Civil Liberties and Transparency Clinic, and Privacy International against various branches of the U.S. Government alleged that the U.S. government had been using watering hole attacks in a new mass invasion of privacy of ordinary citizens. Further, the nature of the civil suit was a failure to comport relevant documents as part of a FOIA request to the various agencies.ACLU and Privacy International et al v. United States Agencies docket available on Courtlistener.com

See also

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">CCleaner</span> Suite of utilities for cleaning disk and operating system environment

CCleaner, developed by Piriform Software, is a utility used to clean potentially unwanted files and invalid Windows Registry entries from a computer. It is one of the longest-established system cleaners, first launched in 2004. It was originally developed for Microsoft Windows only, but in 2012, a macOS version was released. An Android version was released in 2014.

Piriform Software Ltd. is a British software company based in London, owned since 2017 by Avast which itself became part of Gen Digital in 2022. The company develops cleaning and optimisation tools for Microsoft Windows, macOS and Android operating systems, including CCleaner, CCleaner Browser, Defraggler, Recuva and Speccy. On 22 September 2015, Piriform launched CCleaner Cloud, a tool to maintain computers remotely.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Tor (network)</span> Free and open-source anonymity network based on onion routing

Tor is a free overlay network for enabling anonymous communication. Built on free and open-source software and more than seven thousand volunteer-operated relays worldwide, users can have their Internet traffic routed via a random path through the network.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

LizaMoon is a piece of malware that infected thousands of websites beginning in September, 2010. It is an SQL injection attack that spreads scareware encouraging users to install needless and rogue "anti-virus software". Although it does not use new infection techniques, it was initially thought to be notable based on the scale and speed at which it spread, and that it affected some of Apple's iTunes service. LizaMoon was initially reported to the general public by Websense Security Lab.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Operation Torpedo was a 2011 operation in which the Federal Bureau of Investigation (FBI) compromised three different hidden services hosting child pornography, which would then target anyone who happened to access them using a network investigative technique (NIT).

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

Playpen was a darknet child pornography website that operated from August 2014 to March 2015. The website operated through the Tor network which allowed users to use the website anonymously. After running the website for 6 months, the website owner Steven W. Chase was captured by the FBI. After his capture, the FBI continued to run the website for another 13 days as part of Operation Pacifier.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.

Government hacking permits the exploitation of vulnerabilities in electronic products, especially software, to gain remote access to information of interest. This information allows government investigators to monitor user activity and interfere with device operation. Government attacks on security may include malware and encryption backdoors. The National Security Agency's PRISM program and Ethiopia's use of FinSpy are notable examples.

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

References

  1. Gragido, Will (20 July 2012). "Lions at the Watering Hole – The "VOHO" Affair". The RSA Blog. EMC Corporation.
  2. Haaster, Jelle Van; Gevers, Rickey; Sprengers, Martijn (2016-06-13). Cyber Guerilla. Syngress. p. 57. ISBN   9780128052846.
  3. Miller, Joseph B. (2014). Internet Technologies and Information Services, 2nd Edition. ABC-CLIO. p. 123. ISBN   9781610698863.
  4. 1 2 Symantec. Internet Security Threat Report, April 2016, p. 38
  5. Rouse, Margaret. "What is watering hole attack?". SearchSecurity. Retrieved 2017-04-03.
  6. APOSTOL, Mihai; PALINIUC, Bogdan; MORAR, Rareș; VIDU, Florin (2022-05-18). "Malicious Strategy: Watering Hole Attacks". Romanian Cyber Security Journal. 4 (1): 29–37. doi: 10.54851/v4i1y202204 . ISSN   2668-6430.
  7. Grimes, Roger A. "Watch out for waterhole attacks -- hackers' latest stealth weapon". InfoWorld. Retrieved 2017-04-03.
  8. Ismail, Khairun Ashikin; Singh, Manmeet Mahinderjit; Mustaffa, Norlia; Keikhosrokiani, Pantea; Zulkefli, Zakiah (2017-01-01). "Security Strategies for Hindering Watering Hole Cyber Crime Attack". Procedia Computer Science. 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia. 124: 656–663. doi: 10.1016/j.procs.2017.12.202 . ISSN   1877-0509.
  9. "Feds bust through huge Tor-hidden child porn site using questionable malware". Ars Technica. 2015-07-16. Retrieved 2020-01-19.
  10. Kevin Poulsen (Wired.com) (2015-06-30). "FBI Tor busting 227 1". Documentcloud.org. Retrieved 2020-01-19.
  11. Ashley Podhradsky (2017-01-17). "Scholarly Commons - Annual ADFSL Conference on Digital Forensics, Security and Law: Reverse Engineering a Nit That Unmasks Tor Users". Annual Adfsl Conference on Digital Forensics, Security and Law. Commons.erau.edu. Retrieved 2020-01-19.
  12. Poulsen, Kevin. "The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users". WIRED. Retrieved 2020-01-19.
  13. "Council on Foreign Relations Website Hit by Watering Hole Attack, IE Zero-Day Exploit". Threatpost . 2012-12-29. Retrieved 2017-04-02.
  14. "ICS Focused Malware". ics-cert.us-cert.gov. Retrieved 2020-12-09.
  15. "Full Disclosure of Havex Trojans". Netresec. 27 October 2014. Retrieved 2020-12-09.
  16. "Department of Labor Watering Hole Attack Confirmed to be 0-Day with Possible Advanced Reconnaissance Capabilities". blogs@Cisco - Cisco Blogs. 4 May 2013. Retrieved 2017-04-03.
  17. "Attackers target dozens of global banks with new malware". Symantec Security Response. Retrieved 2017-04-02.
  18. "'Patient zero' in cyberattack on UN aviation agency was senior official's son, email reveals | CBC News". 2023-02-20. Archived from the original on 2023-02-20. Retrieved 2023-12-26.
  19. "CCleanup: A Vast Number of Machines at Risk". blogs@Cisco - Cisco Blogs. Retrieved 2017-09-19.
  20. "Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users". blogs@Piriform - Piriform Blogs. Retrieved 2017-09-19.
  21. "Researchers Find BlackEnergy APT Links in ExPetr Code". 3 July 2017.
  22. "Chinese Hackers Carried Out Country-Level Watering Hole Attack".
  23. "Kaspersky uncovers a creative water hole attack discovered in the wild". Kaspersky. 26 May 2021.
  24. 1 2 "Holy water: ongoing targeted water-holing attack in Asia". securelist.com. 31 March 2020. Retrieved 2020-08-05.
  25. "Holy water: ongoing targeted water-holing attack in Asia". securelist.com. 31 March 2020. Retrieved 2022-02-03.