Watering Hole Attacks

Watering Hole Attacks: What They Are and How to Protect Your Organization

In February 2021, hackers targeted a wastewater plant in Oldsmar, Florida, and tried to poison the water supply, potentially endangering around 15,000 residents. Fortunately, an alert plant operator discovered the attack in time and reversed the changes, thereby preventing a huge disaster.

The investigation found that a Florida infrastructure contractor’s website had been compromised to create a watering hole by hosting malicious code on it. Their targets were mainly water utility organizations in the state of Florida. This malicious script was present on the website for about two months from December 2020 to February 2021, with more than 1,000 computers from different governmental sectors accessing it. The malicious code could gather information “about the operating system, CPU, browser, input methods, camera, accelerometer, microphone, touchpoints, video card, time zone, geolocation, the screen, and browser plugins.”  It was determined this was a targeted attack on the U.S. water sector.

In fact, while this attack and the Oldsmar plant hack do not seem related, it was found that an employee from the Oldsmar water facility did access the watering hole. 

Here, we will discuss what watering hole attacks are, how they work, and how to safeguard your organization against them.

What are watering hole attacks?

Also known as a strategic website compromise attack, this cyberattack is used to target victims by compromising popular websites that they browse or by creating and luring them to malicious websites. Typically, the aim of this attack is to infect end-user systems so as to gain unlawful access to organizational networks and systems. They can also steal personal information like passwords, credentials, banking information, and other sensitive data.

While similar to phishing or spear-phishing attacks, watering hole attacks have a higher success rate and are quite difficult to detect. Threat actors often create new sites or target legitimate websites and applications which cannot be blacklisted – they employ zero-day exploits that cannot be detected by antivirus controls. In most cases, victims do not realize that their systems have been infected until much later. 

The name “watering hole” attack is derived from hunting. In the wild, predators often lurk around watering holes looking for an opportunity to attack prey when they are most vulnerable. Similarly, cybercriminals target victims by lurking online to observe their behavior, infect the websites and applications that are popular with them, and finally infect the victim’s systems with malware.

The most prominent targets of watering hole attacks are large corporate organizations, government offices, religious organizations, and human rights organizations.

How does a watering hole attack work?

First, cybercriminals have to find a suitable target and profile them – the industry which they’re from, the organization where they work, their job title, etc. With this information, they can determine what kind of websites and applications the target frequents the most.

Once the threat actors have sufficient information on their target, they either create new websites or look for unpatched vulnerabilities to exploit in the existing ones. They then inject malicious code, usually in the form of JavaScript or HTML, that will redirect the target to the malware-hosted website. The malware that is typically used is a Remote Access Trojan (RAT) which allows the cybercriminal to gain remote access to the victim’s system.

When the target user browses the compromised website, the malware gets activated and can infect the system. This occurs automatically when the website is loaded, or when the victim downloads a link or file from the corrupted platform.

Threat actors can use the malware installed to conduct their malicious activities. They can access the victim’s credentials, passwords, and other sensitive information to conduct cyberattacks like credential stuffing, phishing, and so on.

Finally, now that the victim’s system has been infected, threat actors will focus on infecting other systems in the victim’s organizational network in order to breach and exfiltrate sensitive corporate data – which they can steal, expose, or sell on the dark web.

How can your organization defend against watering hole attacks?

There are several ways to protect your organization from watering hole attacks. Here is the checklist:

  • Educate your employees on watering hole attacks and the consequences that occur due to them. Conduct regular training and testing to ensure they are aware of the security protocols to be followed. Additionally, advise them about good and safe online behavior so as to reduce the risk of security breaches.
  • Implement several strong security controls like antivirus, antimalware, firewalls, different types of encryptions, and multi-factor authentication from reputable sources. Moreover, regularly test these controls to ensure that they can defend your organizational systems and networks efficiently in the case of a cyberattack.
  • Regularly update all organizational software and applications to the latest requirements to eliminate any vulnerabilities that cyber attackers could use to their advantage. Employ endpoint security programs and solutions to ensure added security on all system devices.
  • Filter out all incoming network traffic, especially those from third-party and external websites, which should not be trusted in any capacity until they have been thoroughly verified.
  • Monitor your organization’s systems and networks for any suspicious activity –for example, login attempts made from new devices or unusual locations at odd timings. Block any suspicious devices and IP addresses.
  • Use secure virtual private networks to safely browse online as well as to hide your online activities from lurking threat actors. Moreover, block all social media applications and sites from your organizational networks as these may be used as attack vectors in watering hole attacks.
  • Invest in advanced network security solutions and advanced threat solutions such as secure web gateways, email security solutions, behavior analysis software, etc. that can help with early detection of vulnerabilities or exploits (especially zero-day exploits) and identifying suspicious behavior, as well as scan and inspect potentially malicious activities before they can cause adverse damage.