Dear Ramey: Watering Hole Attacks Explained
Answering burning questions from victims of cyber events.
I heard this phrase “watering hole attack.” I understand the concept of a phishing email but how is a watering hole attack different?
– Safari Sam
DEAR SAFARI SAM:
Even though a phishing email and watering hole attack (WHA) share the same purpose — tricking victims to gain unauthorized access to remote networks — as your question alludes, they are drastically different types of attacks.
Phishing emails usually involve tricking a user into entering credentials, wiring money, or opening an attachment. While there are varying levels of sophistication within phishing emails, WHAs require a separate, higher level of sophistication.
WHAs derive their name from the real-world strategy of poisoning a central location, typically a water supply, where the enemy is known to consume water. Similar real-world examples could include “fishing with dynamite” or poisoning a waterhole where animals gather instead of hunting each animal individually. WHAs require a centralized location to infect their victims and, if well executed, they are a silent but deadly strategy.
What’s needed to pull off a watering hole attack?
In the cyber landscape, a WHA requires a website, which acts as the central point or “the watering hole.” Typically, the attacker will identify a website, hack it to stage their payload, and wait for victims to launch the payload.
Depending on the attacker’s goal, two situations could prompt the use of a WHA:
Targeted action. The attacker may have a specific victim in mind. Using open-source intelligence or other information, the attacker may identify a specific website the victim continually visits and hack it to host their payload. The attacker then waits for the victim to interact with the payload. Attackers use this tactic for political gain, hacktivism, or corporate espionage.
Crime of opportunity. The attacker doesn’t have a specific victim in mind. Rather, they intentionally look for popular websites with vulnerabilities to exploit. Once the attacker gains access, they implant their payload and wait for any victim to interact with it. Attackers use this tactic to deploy ransomware, build botnets, or harvest credentials.
In both scenarios, the attacker hacks a legit website, uploads the payload, and expects the victim to interact with the payload directly.
Legitimate websites hacked to host illegitimate files
The sophistication of the watering hole attack not only requires building an exploit payload but also gaining unauthorized access to a legitimate website. After all, if the attacker expects the victim to interact with the payload, the victim needs to think the payload is legit.
The Arete Incident Response (IR) team has responded to and investigated several WHAs involving the Socgolish and Gootloader frameworks. Both frameworks have their differences, but their goals are the same: package an exploit that will trick victims into downloading and executing on their systems.
During a WHA investigation, the Arete IR team identified a compromised web forum that the threat actor hacked to host their payload. Once the attacker had access to the web server, they modified the web application code. When connected to the web server, the threat actor was able to change the programming code on the website to perform a new function.
The attacker added logic to the web code to record the visitor’s IP address. If the visit was the initial visit or 24 hours from the last visit, the forum would provide a link to download the malicious package. If the visitor visited the page multiple times within 24 hours, the regular link would display, not the malicious payload.
The attacker used this tactic to hide their tracks in the event a user who downloaded the malicious payload returned to the site for a second download. Usually, once the malicious file is opened, the activity is not expected by the user, who returns to download the file again to see if the second download will work correctly.
WHAs infect a single point, often a trusted website, and once they start hosting the malicious content, anyone can be tricked into downloading and executing the malicious payload. While WHAs are not very common, they can be devastating and very successful.
Level of effort for attackers: Watering hole attacks vs. phishing emails
When describing the level of sophistication of a WHA, let’s compare it to a phishing email:
Comparing a phishing email to a WHA, the high-level overview is almost the same except for step #3. Most will argue that it’s much harder to hack a website and remain anonymous without being detected. WHAs are successful because many website developers and web server administrators do not actively monitor for changes to production code. Rather, they maintain the security within the source-code repository.
The devastation from a WHA is because people trust the websites they visit, especially when they have an account or have released personal information to the site. The mentality to inherently trust a website because they have your information or you interact with others through the site can be misleading and expose individuals and companies to successful WHAs.
Attackers who invest their time and energy into WHAs are typically more sophisticated. They have the time and resources to invest into the multi-stage attack. They may spend a lot of time researching their victim (both the target and the website) instead of looking for an easier way to attack their target.
Additionally, malware frameworks like Socgolish or Gootloader are not cheap. They require money to build the malicious packages that would contribute into tricking the victim into opening the payload.
Bottom line: Watering hole attacks require more effort, but often for greater gain.
The differences between a phishing email and a WHA are significant. WHAs appear to be more time-intensive and require a lengthier process to identify websites and host their malicious payloads.
Attackers who launch WHAs are more sophisticated and have an acute sense of targets to victimize. While WHA attacks can be more successful and devastating, more resources are needed to pull off these attacks than with a phishing email.
To better defend against WHAs, you can:
- Protect web servers with web application firewalls (WAFs).
- Monitor websites, web files, and configurations for changes to the production files.
- Secure source code repositories behind virtual private networks (VPNs) with multi-factor authentication (MFA).
- Limit permissions to developer accounts as well as access tokens for development environments.
- Enable MFA on source-code repositories.
- Implement end-user awareness training for individuals and highlight WHAs as well as other common attack vectors — for example, phishing emails, rogue media, and social engineering.
- Implement Enterprise Detection and Response (EDR) tools to all endpoints.