Monday, 10 July 2023

What is a watering hole attack? And how can you protect against it?

Malicious cyber activity can take many guises. One attack vector is a watering hole attack. But what is that? And how can you protect your organisation from them?

Malicious cyber activity can take many guises. One attack vector that the UK’s National Cyber Security Centre warns against is a watering hole attack.

But what is a watering hole attack? And how can you protect your organisation from them?


A watering hole attack is named after an approach used by predators in the natural world. Knowing that their prey will, at some point, gather around a watering hole to drink, the predator lurks nearby ready to take advantage when their prey’s guard is down.

In the cyber world, attackers sometimes use a similar approach. The watering hole attack targets websites which cyber criminals know their targets will visit. By compromising these websites with malicious code, they are able to trick their targets into downloading malware or viruses to their computers unknowingly.


How do watering hole attacks work?

Watering hole attacks are a kind of social engineering attack vector. That’s because the would-be attackers profile their intended targets to identify the websites where they are most likely to congregate. Typically, the attackers will pick a website that has relatively low security or known vulnerabilities they can exploit.

The attackers compromise the website, usually by injecting malicious code into the site. This is often in the form of JavaScript or HTML. Sometimes the malicious payload is downloaded automatically on visiting the site. Other times, the code may generate a bogus prompt encouraging the website visitor to take additional action that will trigger the download of the malicious code. For example, clicking on a link which redirects to a spoof website or downloading an infected document from the website. 

The victim thinks nothing of downloading the document or clicking on the link because they are on a trusted website used by many of their colleagues and peers. As a result, the effects of a watering hole attack may go undetected for a long time.

Once the malicious payload has been downloaded to the victim’s computer, the attackers are free to continue their attack. 

This can take different forms, including:

•    Install a remote access trojan (RAT) to gain remote access to the target’s computer,

•    Steal data from that computer,

•    Use the compromised computer to access other assets on the corporate network,

•    Use the victim’s computer as part of a bot network,

•    Cyber espionage, such as the VOHO attack targeting local government in Washington DC and Boston,

•    State-sponsored disruption or terrorism, such as in 2017 when Ukrainian government websites were compromised to spread the ExPetr malware,

•    Spread ransomware or wiperware.

Sometimes the attackers simply want to steal data that they can sell online. In these instances, they may target consumers and compromise popular consumer websites. The 2015 attack on the Forbes magazine website had this kind of scope. 

However, watering hole attacks are often targeted at a particular industry sector or business. For example, financial services, defence or the public sector. In these instances, the attackers often target public message boards, event or conference websites or other poorly defended targets.

Because they depend on a victim visiting the website, this makes watering hole attacks very opportunistic and almost scatter gun in nature. 

To attack particular victims in a more targeted fashion, the attackers may combine the watering hole attack with other forms of attack. For example, Proofpoint warns that some attackers combine watering hole attacks with directed phishing attacks. These phishing emails direct the recipients to the specific, compromised parts of the website. By inviting profiled users to visit the compromised website, the attackers have a greater chance of compromising their desired targets. 

Watering hole attacks are very hard to guard against. For one, defending websites against watering hole attacks can be challenging for the organisations. Websites can be infected for months or even years before the attack is detected. And, because users have trust in the sites they are visiting, they are not on the look out for potential attacks.  


How can you defend against watering hole attacks?

There are a number of ways to protect yourself against watering hole attacks. 

The starting point should be to educate your people to ensure they understand the risks of watering hole attacks. Training that deters them from clicking on suspicious links – however trustworthy the website – and not to bypass security warnings is useful.

Scan and monitor Internet traffic. Block access to websites not used for work. Web Gateways can defend against drive-by downloads that match a known threat signature or bad reputation. Monitor for common exploits and use weblogging to detect suspicious activity.

Computer hardening and following best practices around device management is the best way to limit contagion and prevent the attack from spreading. All devices should have up-to-date anti-malware solutions.

Protect your own organisational website(s) to ensure it isn’t the launchpad for a watering hole attack. Patch all known vulnerabilities as soon as possible and ensure software and operating systems are kept up to date. 

A combination of these approaches strengthens your defence. 


What next?

For help to protect your organisation from being victim to watering hole style attacks, the Grant McGregor team can assist. 

Call us: 0808 164 4142

Message us: 

Further reading

Find more advice and information about other cyber security topics on our blog:

•    Another week… another cyber breach: how to deal with the latest ransomware attacks

•    What can we learn from the Capita data breaches?

•    What are the risks of ChatGPT and large language models (LLMs)? And what should you do about them?

•    Is your organisation doing enough on supply chain security?

•    AI’s new role in cyber security

•    Should your users be using Microsoft Edge Password Manager?

•    Computer hardening: What is Microsoft Intune… and do I need it?