Watering hole attacks have been around for a while. This type of attack is not necessarily new, but it’s not commonly used among cybercriminals because it’s a “sit-and-wait” type of approach. The name of the attack comes from the way a predator animal lies in wait at a watering hole—knowing that its prey will eventually come for a drink.

Water hole attacks occur when criminals focus their attack on a specific group. They infiltrate a network by loading malware onto websites that individuals from the targeted group may visit. There are always two victims in a watering hole attack—the organization whose site is used by the hacker and the user who’s the main target for the attack. Even though the cybercriminal doesn’t harm the website hosting the malware or infected code, the site’s reputation and trustworthiness are damaged.

Think of industry websites you visit regularly. More than likely, other companies in your industry visit those sites too. Watering hole attacks are targeted hacks on a specific group, industry, or company. These attacks are not direct. Instead, they come in via a backdoor access point. The goal of the cyber attack is to gain access to your network to steal specific information or build a botnet, which uses internet-connected devices to perform scams and cyber attacks without the user knowing. Watering hole attacks are some of the most challenging attacks to identify because of the way they’re designed.

 

So, how does a watering hole attack work?

There are several steps an attacker will take before they can gain access and steal data. Generally, an attack will operate as follows:

Step 1 | Targets are identified. The attacker pinpoints targets and identifies websites that the intended targets visit frequently. These include public websites such as discussion boards, industry conferences, and industry-standard bodies.

Step 2 | Vulnerability assessment. The attacker then looks for weaknesses and vulnerabilities within the website and compromises it with malicious HTML or JavaScript code. The attacker’s code redirects users  to a separate site that hosts malware, or the malware is loaded directly onto the website.

Step 3 | Malware installation. When the user accesses the website, malware gets installed on the user’s computer.

Step 4 | Theft. Once the user’s computer is infected, the attacker can move around within the network and take the data they want.

 

Recent Attacks

Black Lotus Labs released information on watering hole attacks that occurred in 2019 and 2020 on several Ukrainian websites, as well as a Canadian website. The design of the attack was similar to the compromised San Francisco airport website, and it was determined that the attacks were from the same source. The goal was to access resources such as printers and files, and possibly additional information such as usernames and passwords that allowed access to email accounts and other resources.

Kaspersky researchers found several watering hole attacks focused users in Asia. They found one attack a year after compromised more than 10 websites and infected many other users in Asia. Another attack targeted the national data center of an undisclosed central Asian country in order to gain access to government resources.

Meanwhile, Dragos investigated a watering hole attack on water utilities in Florida. According to a blog post written by Ken Backman, the malicious code was “inserted into the footer file of the WordPress-built website used by a Florida water infrastructure construction company.” The construction company’s website was accessed by a browser from the city of Oldsmar on February 5, and that same day “a water treatment control plant computer attempted to poison the water supply using the computer system’s Human Machine Interface (HMI).”

 

How to prevent a watering hole attack

Protecting your corporate environment from watering hole attacks can be difficult unless you stop employees from accessing the Internet. That’s impossible in today’s world. So, what’s the next best thing?

Follow cyber security best practices. There are certain steps businesses should take to protect themselves against any cyber threat. Following industry best practices will help minimize cyber attacks on your network.

Keep software updated. Regular software maintenance seems to be on the top of prevention list for many types of attacks. Because watering hole attacks look for vulnerabilities, updating software with security patches as soon as they’re available can significantly reduce entry points or your risk of an attack.

Monitor your network. Conducting regular analysis on network traffic, user access, and other security checks can help identify malicious activity and abnormalities inside the corporate network. If you don’t currently do this or don’t have the IT personnel to do it, your managed IT provider can assist with conducting regular network security checks.

Audit industry websites. Knowing what industry websites are frequently accessed can help reduce the chances of a watering hole attack, so make sure to periodically inspect websites for malware.

Hide/Block online activity. Use a VPN or private web browsing features to disguise online activity from external sources. In some cases, you may even want to block certain websites from being accessed because of the risk associated with those sites.

Watering hole attacks are not common but are exceedingly difficult to detect and can have severe consequences if not caught quickly. Educate employees on the different types of cyber attacks that your organization may face, and work with your managed IT provider to ensure that your company has the best protection possible against watering hole attacks.

Visual Edge specializes in managed IT services and security, cloud computing, and print/copy solutions for businesses across the U.S., including remote offices. The company has more than 20-years of technology service with a national network of expert engineers. Request your free, no obligation assessment today.