Cyber criminals have developed a new strategy nowadays for cyber-attack known as “watering hole”. Proving once again that they are a step ahead – and no security measure or procedure can stop them from gaining access to the information or details they want.
In a watering hole attack, hackers leverage cloud services to help gain access to the most secure government agencies and private enterprise protected networks.

Talking about PAST:
Earlier, these attackers were using emails with fancy / surprising names or attachments like “I LOVE U” or “You have Won Lottery” or subject lines similar to this. Attackers target individuals belonging to a specific organization through phishing attacks so that they can gain access over to its critical information. These specific targeted individuals help in navigating the organization’s employee’s hierarchy or in identifying digital certificate compromises that lead them to gain illegal access and gives them control over the organization’s IT infrastructure.

With the increasing awareness of the employees, these traditional methods have become much more challenging. The most sophisticated type of attack is hitting the enterprise through “Watering Hole Attack”. In this attack, the attacker injects the malicious code into the website that the company trusts. For this they stalk an employee or group in order to spread malicious code inside the organization.

How to find TRUSTED sites:
To insert the malicious code in the most frequently visited sites like yahoo, or is very tough because they are less vulnerable. So, to insert the code in a less secure site which is frequently visited by employees of the targeted company, attacker finds the most frequently visited site by automated tracking methods used by marketing and ad tracking services when employees surfs Internet using their company’s network. This method helps them in identifying the traffic patterns. These tracking services map the web pattern or behavior of the organization. This indicates which sites employees visited frequently. This information helps the attacker to deduce the organization’s browsing history and cloud services access policies. In other words, it tells an attacker about which watering hole you let your employees visit.

The attacker plants the malicious code in watering hole site. They also insert the code in less secure blogs and the most vulnerable sites. They wait for the users to visit the frequently visited sites in past. When user visits those sites, the malicious code redirects the user’s browser to malicious sites and user’s machine can be assessed for uncovering the vulnerabilities. The probability of success is usually high because attacker uses the tracking services data to confirm that traffic to sites is allowed and frequent.

Once the TRAP is laid — Ready for the real attack:
When user falls in trap, the attacker starts assessing for vulnerabilities and exploits in the victims system. When user visits the watering hole, a small piece of code is downloaded in the background automatically & there is no need to click or download any code or file. This is possible by “drive -by downloading techniques”. Once the code is run, it searches for recently discovered exploits and zero -day vulnerabilities. Because there is a chance those users have not patched these exploits in Java, Internet Explorer, and Flash or Adobe reader. If the attacker succeeds in finding the vulnerabilities / exploits; then depending on the user’s access right, he can access sensitive and critical information of the organization. The sensitive information means Internet protocol, customer’s information, employee’s data or financial data.

IIIT Allahabad