What is the watering hole technique?
The term “watering hole” refers to initiating an attack against targeted businesses and organizations. In a watering hole attack scenario, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection.
How does a watering hole technique work?
A watering hole attack typically works this way:
Attackers gather strategic information that they can use to gain entry into their targeted organization. This step can be compared to a military reconnaissance mission. The information gathered may include insights on trusted websites often visited by the employees or members of their targeted entity. The process of selecting websites to compromise was initially dubbed “strategic web compromises.”
Attackers insert an exploit into the selected sites.
Once targeted victims visit the compromised site, the exploit takes advantage of software vulnerabilities, either old or new, to drop malware. The dropped malware may be in the form of a remote access Trojan (RAT), which allows attackers to access sensitive data and take control of the vulnerable system.
Where is this attack technique used?
Watering hole attacks were previously documented in several high-profile cases which include:
VOHO. In mid-2012 RSA identified a campaign known as VOHO, which was aimed at a particular group of organizations, specifically those involved with business and local government agencies in certain geographic areas. The attackers compromised carefully selected sites by inserting malicious JavaScript to deliver a Gh0st RAT variant. Gh0st RATs were previously seen in other attacks that targeted civic organizations and diplomatic entities worldwide.
Attack on high-profile groups. Just before the end of 2012, the Council on Foreign Relations (CFR) website was compromised to host a zero-day exploit in Internet Explorer. Those who visited the site were served with a backdoor malware. Microsoft addressed this vulnerability though the Microsoft Security Bulletin MS13-008.
Why is it effective?
Attackers incorporate strategies to circumvent the targeted organizations’ defenses in order for watering hole attacks to be effective. These may come in the form of outdated systems or simply human error.
In watering hole attacks, the goal is not to serve malware to as many systems possible. Instead, the attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. This makes the watering hole technique effective in delivering its intended payload.
Aside from carefully choosing sites to compromise, watering hole attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits.
This doesn’t mean that attackers don’t target patched system vulnerabilities. Because of patch management difficulties in an enterprise setting, IT administrators may delay deploying critical upda.
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
What is the watering hole techniqueThe term watering hole” refer.docx
1. What is the watering hole technique?
The term “watering hole” refers to initiating an attack against
targeted businesses and organizations. In a watering hole attack
scenario, threat actors compromise a carefully selected website
by inserting an exploit resulting in malware infection.
How does a watering hole technique work?
A watering hole attack typically works this way:
Attackers gather strategic information that they can use to gain
entry into their targeted organization. This step can be
compared to a military reconnaissance mission. The information
gathered may include insights on trusted websites often visited
by the employees or members of their targeted entity. The
process of selecting websites to compromise was initially
dubbed “strategic web compromises.”
Attackers insert an exploit into the selected sites.
Once targeted victims visit the compromised site, the exploit
takes advantage of software vulnerabilities, either old or new, to
drop malware. The dropped malware may be in the form of a
remote access Trojan (RAT), which allows attackers to access
sensitive data and take control of the vulnerable system.
Where is this attack technique used?
Watering hole attacks were previously documented in several
high-profile cases which include:
VOHO. In mid-2012 RSA identified a campaign known as
VOHO, which was aimed at a particular group of organizations,
specifically those involved with business and local government
agencies in certain geographic areas. The attackers
compromised carefully selected sites by inserting malicious
JavaScript to deliver a Gh0st RAT variant. Gh0st RATs were
previously seen in other attacks that targeted civic organizations
and diplomatic entities worldwide.
Attack on high-profile groups. Just before the end of 2012, the
Council on Foreign Relations (CFR) website was compromised
to host a zero-day exploit in Internet Explorer. Those who
visited the site were served with a backdoor malware. Microsoft
2. addressed this vulnerability though the Microsoft Security
Bulletin MS13-008.
Why is it effective?
Attackers incorporate strategies to circumvent the targeted
organizations’ defenses in order for watering hole attacks to be
effective. These may come in the form of outdated systems or
simply human error.
In watering hole attacks, the goal is not to serve malware to as
many systems possible. Instead, the attackers run exploits on
well-known and trusted sites likely to be visited by their
targeted victims. This makes the watering hole technique
effective in delivering its intended payload.
Aside from carefully choosing sites to compromise, watering
hole attacks are known to incorporate zero-day exploits that
target unpatched vulnerabilities. Thus, the targeted entities are
left with little or no defense against these exploits.
This doesn’t mean that attackers don’t target patched system
vulnerabilities. Because of patch management difficulties in an
enterprise setting, IT administrators may delay deploying
critical updates. This window of exposure may lead to a
targeted attack leveraging old, but reliable vulnerabilities.
Who are the targets of a watering hole attack?
The watering hole technique is used in targeted attacks that aim
to gather confidential information and intelligence from the
following organizations:
Various businesses
Human rights groups
Government offices
The stolen information, in turn, may be used to initiate more
damaging attacks against the affected organization.
What is the impact of these attacks?
The social engineering technique used in watering hole attacks
is strategic. Unlike a usual social engineering attack, threat
actors employing the watering hole technique carefully select
the most appropriate legitimate sites to compromise, instead of
targeting random sites. Because the watering hole technique
3. targets trusted and frequented sites, relying on solely visiting
trusted sites to avoid online threats may not be an effective
practice.
In cases where watering hole attacks lead to a RAT, attackers
can also execute commands on infected servers. These include
spying and monitoring the activities of the target organization.
Because an attacker was able to infiltrate a targeted
organization’s network, they can also initiate attacks that are
harmful to the organization’s operations, which include
modifying or deleting files with crucial information.
We may be seeing more of attacks using watering hole in the
future. Trend Micro vice president for cyber security Tom
Kellermann predicted that because of its better methodology,
watering hole attacks can become a more popular way to pollute
trusted sites in 2013.
What can I do to prevent these attacks?
Timely software updating. For watering hole attacks that
employ old vulnerabilities, an organization’s best defense is to
update systems with the latest software patches offered by
vendors.
Vulnerability shielding. Also known as “virtual patching,” it
operates on the premise that exploits take a definable network
path in order to use a vulnerability. Vulnerability shielding
helps administrators scan suspicious traffic as well as any
deviations from the typical protocols used. Thus, this
monitoring empowers system administrators to prevent exploits.
Network traffic detection. Though attackers may incorporate
different exploits or payloads in their attack, the traffic
generated by the final malware when communicating with the
command-and-control servers remains consistent. By detecting
these communications, organizations can readily implement
security measures to prevent the attack from further escalating.
Technologies such as Trend Micro Deep Discovery can aid IT
administrators in detecting suspicious network traffic.
Correlating well-known APT activities. Using big data
analytics, organizations can gain insight on whether they are
4. affected by a targeted attack by correlating and associating in-
the-wild cybercrime activities with what is happening on an
enterprise’ network.
Organizations should also consider building their own local
intelligence to document previous cases of targeted attacks
within the company. These enable organizations to spot possible
correlations and insights needed to create an effective action or
recovery plan.