The Artful and Dangerous Dynamics of Watering Hole Attacks
A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole attack.
How Does it Work?
Your organization is an impenetrable fortress that has implemented every single cybersecurity measure. Bad actors are having a hard time trying to compromise your systems. But what if the weakest link is not your organization, but a third-party? That is where an “island hopping” attack can take apart your fortress.
“Island hopping” was a military strategy aimed to concentrate efforts on strategically positioned (and weaker) islands to gain access to a final main land target.
One relevant instance of “island hopping” is a watering hole attack. A watering hole attack is motivated by an attackers’ frustration. If they cannot get to a target, maybe they can compromise a weaker secondary one to gain access to the intended one? Employees in an organization interact with third-party websites and services all the time. It could be with a provider, an entity in the supply chain, or even with a publicly available website. Even though your organization may have cutting edge security perimeter protection, the third parties you interact with may not.
In this type of attack, bad actors start profiling employees to find out what websites/services they usually consume. What is the most frequented news blog? Which flight company do they prefer? Which service provider do they use to check pay stubs? What type of industry is the target organization in and what are the professional interests of its employees, etc.?
Based on this profiling, they analyze which one of the many websites visited by employees is weak and vulnerable. When they find one, the next step is compromising this third-party website by injecting malicious code, hosting malware, infecting existing/trusted downloads, or redirecting the employee to a phishing site to steal credentials. Once the site has been compromised, they will wait for an employee of the target organization to visit the site and get infected, sometimes pushed by an incentive such as a phishing email sent to the employees. Sometimes this requires some sort of interaction, such as the employee using a file upload form, downloading a previously trusted PDF report or attempting to login on a phishing site after a redirection from the legitimate one. Finally, bad actors will move laterally from the infected employee device to the desired final target(s).
Figure 1: Watering Hole Attack Dynamics
Victims of a watering hole attack are not only the final targets but also strategic organizations that are involved during the attack chain. As an example, a watering hole attack was discovered in March 2019, targeting member states of the United Nations by compromising the International Civil Aviation Organization (ICAO) as intermediate target[1]. Because the ICAO was a website frequented by the intended targets, it got compromised by exploiting vulnerable servers. Another example from last year is a group of more than 20 news and media websites that got compromised as intermediate targets to get to specific targets in Vietnam and Cambodia[2].
Risk analysis
Because this kind of attack relies on vulnerable but trusted third-party sites, it usually goes unnoticed and is not easily linked to further data breaches. To make sure this potential threat is being considered in your risk analysis, here are some of the questions you need to ask:
- How secure are the websites and services of the entities I interact with?
- Are the security interests of third parties aligned with mine? (Hint: probably not! You may be rushing to patch your web server but that does not mean a third-party site is doing the same).
- What would be the impact of a watering hole attack for my organization?
As with every threat, it is important to analyze both the probability of this threat as well as how difficult it would be for attackers to implement it. This will vary from organization to organization, but one generic approach is to analyze the most popular websites. When checking the top one million websites around the world, it is interesting to note that around 60%[3] of these are using Content Management Systems (CMSs) such as WordPress, Joomla or Drupal.
This creates an extra challenge as these popular CMSs are statistically more likely to be present in an organization’s network traffic and, therefore, are more likely to be targeted for a watering hole attack. It is not surprising then that dozens of vulnerabilities on CMSs are discovered and exploited every month (around 1000 vulnerabilities were discovered in the last two years for just the top 4 CMSs[4]). What is more concerning is that CMSs are designed to be integrated with other services and extended using plugins (more than 55,000 plugins are available as of today). This further expands the attack surface as it creates the opportunity of compromising small libraries/plugins being used by these frameworks.
Consequently, CMSs are frequently targeted by watering hole attacks by exploiting vulnerabilities that enable bad actors to gain control of the server/site, modifying its content to serve a malicious purpose. In some advanced scenarios, they will also add fingerprinting scripts to check the IP address, time zone and other useful details about the victim. Based on this data, bad actors can automatically decide to let go when the victim is not an employee of the desired company or move further in the attack chain when they have hit the jackpot.
Defending against watering hole attacks
As organizations harden their security posture, bad actors are being pushed to new boundaries. Therefore, watering hole attacks are gaining traction as these allows bad actors to compromise intermediate (more vulnerable) targets to later get access to the intended final target. To help keep your organization secure against watering hole attacks, make sure you are including web protection. McAfee Web Gateway can help provide additional defense against certain class of attacks even when the user is visiting a site that’s been compromised by a watering hole attack, with behavior emulation that aims to prevents zero-day malware in milliseconds as traffic is processed. You may also want to:
- Build a Zero Trust model, especially around employees visiting publicly available websites, to make sure that even if a watering hole attack is targeting your organization, you can stop it from moving forward.
- Regularly check your organization’s network traffic to identify vulnerable third-party websites that your employees might be exposed to.
- Check the websites and services exposed by your organization’s providers. Are these secure enough and properly patched? If not, consider the possibility that these may become intermediate targets and apply policies to limit the exposure to these sites (e.g. do not allow downloads if that is an option).
- When possible, alert providers about unpatched web servers, CMS frameworks or libraries, so they can promptly mitigate the risk.
Dealing with watering hole attacks requires us to be more attentive and to carefully review the websites we visit, even if these are cataloged as trusted sites. By doing so, we will not only mitigate the risk of watering hole attacks, but also steer away from one possible pathway to data breaches.
[1] https://securityaffairs.co/wordpress/81790/apt/icao-hack-2016.html
[2] https://www.scmagazine.com/home/security-news/for-the-last-few-months-the-threat-group-oceanlotus-also-known-as-apt32-and-apt-c-00-has-been-carrying-out-a-watering-hole-campaign-targeting-several-websites-in-southeast-asia/
[3] “Usage of content management systems”, https://w3techs.com/technologies/overview/content_management/all
[4] “The state of web application vulnerabilities in 2018”, https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/