Watering Hole

Posted on by

The most common attackers’ motivations are financial gain, personal glory, malicious acts and espionage.

Whatever the attack’s purpose, at least one system needs to be compromised. To reach their goal, attackers have a wide range of vectors including security bypass, physical access to the host or exploiting vulnerabilities.

Within this arsenal, vulnerabilities exploitation is likely the most widespread intrusion vector. Infection methods used can take different forms:

  • Infection by removable media (CD, USB, SD card, …)
  • Infection by e-mail (attached file or malicious link for instance)
  • Infection by the internal network (share files)
  • Infection by browsing a website

The “Watering Hole” is part of the last category: “Infection by Web site”, also named “Drive-By Download” and relies on the following mechanism:

  1. Creation or compromising of a website by the attacker (access to the administration interface, compromising of advertising networks to inject code within displayed adds, discovering of XSS vulnerability…)
  2. Malware drop on the website (ex: obfuscated JavaScript code running when the page loads, iFrame including ActiveX control or a malicious Java applet hosted on a different website, …)
  3. Compromising of the client host. The victim is enticed to go or automatically redirected to the website hosting the malware. His browser runs the malicious code and a malware is unknowingly and transparently set up on his desktop or his Smartphone. Therefore, the attacker has a partial or fully access on the infected device.

Does it just a « Drive-by Download » attack?

The difference between “Watering Hole” and “Drive-by Download” attacks is that websites which are initially compromised are carefully picked (see step 1).
Indeed, depending on the target, the choice is mainly based on the localization of the targeted entity or related to its job.

Several real case scenarios may be quoted as examples:

  • Professional: (political/religious/syndical…) In the case of Apple, Microsoft or Facebook in last February, the compromised website was dedicated to iPhone development (iphoneDevSDK), website which can, most likely, be browsed by developers of the three companies. The targeted population may also be more limited as illustrated by the compromising of the site « http://www.rferl.org (Radio Free Europe Radio Liberty) ».
  • Geographical: In September 2012 when the VOHO  attack occurred, the cybercriminal had compromised a local governmental website of the state of Maryland and one of the state bank located in the Massachusetts to compromise the machines of specific population living or working in the targeted areas.
  • And why not personal: We could likely see the sport or music club where the children of the victim go, get compromised…

Why use this method instead of another?

In comparison with the phishing activity for instance, this method shows many advantages for the attackers :watering hole

  • Scalable :
    • The attacker can « easily » cover a wide range of victims. The « Drive-By Download » is widely used in the cybercriminal area allowing to compromise quickly a large amount of machines ;
    • Recent Java or Adobe Flash vulnerabilities exploitation may allow bypassing the sandboxing mechanism integrated in Web browsers and thus covering many vulnerable operating systems and different Web browsers ;
  • Efficient: When combined to « 0-day » vulnerability exploitation, the infection rate may be very high. The report on the VOHO  campaign issued by RSA and dealing with “Watering Hole” attacks, identified 32 160 infected hosts belonging to 731 organizations corresponding the 12% infection rate.
  • Stealth: No user’s action is required, except the fact to browse its favorite Web sites. The absence of any signal makes also spotting the infection source difficult. Finally, the possibility to filter the infected machines (IP range, browser language, localization …) allows to limit the collateral damages and thus to limit attack visibility.

However, this method has also some inconveniences:

  • Potentially, a reckon step is needed, where the attacker identify the favorite websites of their next victims.
  • A step where the attacker has to hack legitimate websites is required: However, the attackers may identify the vulnerable websites using automatic scans.
  • The attackers must work on a post-infection analysis to determine, for each infected host, which type of profile has been infected and whether the profile matches the target (company, function …) or not.

watering holeNB: The filtering applied to limit the scope of compromised hosts is also used within phishing attacks.

What are the defense mechanisms ?

Against these kinds of threat, there is no single response. Therefore, best practices must be applied to limit infection risks and to be reactive in case of compromising:

  1. [Update] – We observe that exploited vulnerabilities are more often related to technologies such as Java or Adobe Flash. At least, these applications must be regularly updated. However, this measure may not be sufficient (0-day for instance). Therefore, we recommend uninstalling them when they are not required by the business.
  2. [Web Filtering] – Regularly update the filtering device blacklist by adding automatically, and if needed, manually websites known as hosting malware. (Having a security watch is highly advised). In a more drastic way, Web browsing from VIP population can be enforced from desktops located on a segregated network.
  3. [Desktop hardening] – Bypassing mechanisms can also be setup. Java, for instance, can be configured with a high security level to avoid running automatically unsigned applets. Similar measures can be applied to the Flash plug-in. It is also possible to push plugins such as “NoScript” to ban JavaScript, Flash, and Java code execution from the browser.

Conclusion

“Watering Hole” attacks share the same goals than « Spear-phishing » ones and the same infection method than “Drive-by download” attacks.

This combination is mostly used for attacks aiming at breaking into an organization, whatever the infected hosts are.

Over time and thanks to awareness campaign, users and especially VIP population are more and more cautious when it comes to opening emails’ attached files. “Spear-phishing” attacks are then completed by “Watering Hole” attacks which do not required any action from the victim, except browsing its favorite websites…

[1]
[2]