This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Watering hole attacks are a relatively new phenomenon that have been successfully employed in a number of recent high profile attacks. What is a watering hole attack? Just as lions lie in wait knowing their prey must come to drink, in the cyber version, rather than going after a target directly, the attacker instead infects a trusted resource that potential victims will eventually come to. The indirect nature of the attack could be driven by a desire to ultimately infect a specific but diverse set of victims, or it could be the weak link in the security chain.
For example, attackers may want to infect victims from a specific industry as opposed to an individual company, as was the case last year when mobile developers from companies such as Apple, Facebook and Twitter were compromised when visiting the popular iPhoneDevSDK forum after it had been infected with a Java zero day. Infecting a trusted third party may also represent an avenue of attack that bypasses the stronger security controls at the ultimate target by instead infecting user machines that then have access to the target network.
Regardless of the motivation, a key component of a watering hole attack is the initial compromise of a trusted third-party entity, which does not represent the ultimate target. A watering hole attack is typically an early component in a broader targeted attack and occurs at the Initial Infection phase (see Figure 1). Once the victim machines are compromised, the attackers will laterally move toward their goal and ultimately exfiltrate data.
Energy Sector Watering Hole Attack
Earlier this year, we uncovered a watering hole attack targeting the energy sector. The attackers did not attempt to directly compromise companies they were focused on, but instead identified a UK law firm with an energy law practice. Law firms are often leveraged in targeted attacks, especially when corporate espionage is the goal, given their trusted relationships with clients.
In this attack, the LightsOut exploit kit (EK) was injected into the website of Thirty Nine Essex Street LLP. After which, any browser connecting to an infected page on the site would be silently probed to establish a fingerprint of the client machine. Of importance were the browsers used, plugins employed and versions thereof.
If the victim was running a browser or plugin for which the EK had exploits — in this case for Internet Explorer, Java and Adobe Reader — the appropriate payload was delivered. Once infected, a Remote Access Trojan (RAT) was installed, giving the attackers complete control of the victim machine for use in subsequent phases of the attack.
Sign up for MIS Asia eNewsletters.