In recent months, many readers became familiar with the term “Watering Hole,” used to describe an attack implemented to infect a website’s visitors. One could describe it as a “drive-by” exploit used to compromise legitimate websites.
This method of attack is not new: it’s been observed since 2009, when civil society organizations were compromised with this technique, used as vector to deliver 0-day exploits.
The technique is used very effectively to selectively compromise a targeted audience, interested in the specific content found on a targeted website. It’s interesting to note that success of Watering Hole depends on the capabilities of the attacker to develop/produce zero-day exploits that affect a victim’s software.
Typically, the incidence of Water Hole attacks increases in conjunction with a new drive-by exploit. The attackers inject the exploit onto page of website, recognizing the high probability that it will be visited by victims that will be infected only if their software is vulnerable to the exploit. Once an internet user visits the page, a backdoor trojan is installed on his computer:
Watering Hole attack – The Elderwood Project (Symantec)
One of the most interesting papers on the topic is “the Elderwood Project,” published by Symantec Security Search. It describes monitoring the attacking group’s activities for the last three years, revealing the targeting of a large number of industries from various sectors using a number of zero-day exploits.
The metaphor used in the document is very comprehensive:
“The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in.”
The principal advantage of the technique is that attackers are able to infect a limited audience representing the target of the cyber operation. For this reason, the difficulty to identify ongoing attacks increases, while attackers analyze a minor amount of data stolen from the victims to gather information of interest.
Typically, the technique is adopted by state-sponsored hackers in cyber espionage campaigns, or by cyber criminals committed to researching specific information. Watering Hole is not very profitable for the criminal world because it does not aim to attack the highest number of possible victims, as happens with computer scams. Due to the need to have a knowledge of zero-day vulnerabilities, it is undoubtedly more expensive in economic terms (think of the purchase of zero-day exploits on the black market) and in R&D (think of the effort needed to develop an exploit).
Spear phishing or Watering Hole?
In a classic Spear Phishing offensive, the attacker sends the victim an email with a malware attached or containing link to a compromised host serving malicious code. As with Watering Hole, Spear Phishing is used prevalently for targeted attacks, but the success of the attack depends on the recipient’s clicking the link or opening an attachment.
It’s easy to understand that there’s a high probability that a would-be victim will discard the malicious email, even if the malware eludes antivirus detection due to the presence of a zero-day exploit. Watering Hole allows to attacker to overcome this difficulty compromising and infecting a website potential victims are likely to visit.
However, the major efficiency of a Watering Hole technique is that it requires much more effort for attackers: to choose the target website with care; to inspect it for vulnerabilities and compromise it to install the exploits.
Security experts are convinced that the number of watering hole attacks is destined to increase rapidly, due to the large diffusion of exploits on the underground market, as well as an increasing interest by governments in committing cyber espionage.