What is the watering hole attack?
A watering hole attack against specific targeted establishments, enterprises, organizations and businesses is organized by the threat actors by compromising a carefully selected mobile App by inserting exploit which results to a malware infection.
How does a watering hole technique work?
A watering hole attack has a specific way of operation. Typically, the execution of this attack follows the procedure below:
- Before an attack can be initiated, the attackers will first gather some vital information that can be used to gain access into their targeted organization or establishment. This process of gathering information can be compared to a military reconnaissance mission. In this process, vital information that is gathered includes insights on trusted but least secured mobile applications that the employees or members of their targeted entity often visit. This process of selecting the mobile application which is least secure to be compromised was initially named “strategic App compromises”.
- After a frequently visited but least secure mobile application has been selected, the attackers will then proceed to insert an exploit into the selected application.
- After setting the trap, the attackers will expect the targeted victims to visit the compromised application as usual. Once the victims visit the compromised application, the exploit will take advantage of the software vulnerabilities, whether it is old or new, to introduce a malware. This malware may be in form of remote Access Trojan (RAT) which works mainly to give attackers access to sensitive and secretive data and take over the vulnerable system.
Where is this attack technique used?
Several activities of watering hole attack were previously registered in lots of high-profile cases which include:
The attack on high-profile groups: Towards the end of 2016, the Council on Foreign Relations (CFR) Admin panel was compromised . All the apps visitors got a backdoor malware.
Why is it effective?
Through the incorporation of worthwhile strategies, attackers were able to circumvent the targeted organizations security so that the watering hole attack can be effective.
The major objective of the watering hole attack is not to serve malware to as many systems as possible but rather, the attackers uses exploits on popular and trusted applications that possess an assurance of being visited by the targeted victims. This is more of the reasons why watering hole technique is more effective in delivering its intended task.
Not only limited to the careful selection of applications to compromise, watering hole attacks also incorporate zero-day exploits that target unpatched vulnerabilities. With this, the targeted victims are endangered due to little or no defense against these exploits.
Nevertheless, this does not mean that attackers do not target patched system vulnerabilities. Due to the patch management difficulties in an enterprise makeup, deploying critical and vital updates may be delayed by the IT administrators. This mini openings may give an opportunity for a targeted attack leveraging old, but reliable vulnerabilities.
Who are the targets of a watering hole attack?
The primary focus of watering hole attack is to gather secretive and confidential data, information, and intelligence from the following establishments:
- Various for profit organizations
- Human rights groups
- Government workplaces
The stolen data will be utilized to start all the more dangerous attacks against the victimized organization.
What is the impact of these attacks?
The type of social engineering method employed in watering hole attacks is classical. Compared to normal cyber attack, the threat actors using the watering hole technique carefully select the most suitable legitimate applications to be compromised rather than targeting random applications. Since the watering hole technique targets trusted and frequently used applications, visiting only trusted applications may not be a silver bullet to avoiding online threats.
In situations whereby watering hole attacks lead to a RAT, attackers also have the ability to execute commands on infected servers. These activities include monitoring and spying into the activities of the target organization. Due to the fact that the attacker was able to gain access to the targeted organization’s network, they also have the ability to initiate attacks that are dangerous to the organization’s operations and activities, which include editing or erasing files that contain sensitive information.
We should anticipate for more attacks via the watering hole technique in the future. We at Boon Info Tech predicts that watering hole attacks can become a more popular way to corrupt trusted applications in 2017.
Watering hole attacks prevention
While we expect more intense attacks via this media, we recommend the following as a perfect way of preventing the attack.
- Using our Mobile Application Firewall with cross-site scripting (XSS), command injection, and SQL injection rules in deny mode.
- Protect access to your Content Management System as a highly critical system.
- Restrict access to content and App Admin Panel to particular geographical locations.
- Look at third-party partners, (for example, promoting administrations) and have an arrangement to incapacitate that substance if the supplier gets to be compromised.
- Secure your DNS enrollment and name servers to shield attackers from diverting the whole domain to a subjective area.
No. 1: Before Going Live, Ask This Question
Are you in the process of launching a new application? If yes, then you need to ensure that the application developer has checked the template you are using against the OWASP Top 10 list of the most common application security flaws. This can be initiated by asking the application developer how the application is not vulnerable to the OWASP Top 10. If you dont have a satisfacgtory answer, then its time to look for a developer who is well versed in developing secure apps.
No. 2: Get Your App Checked
Signing up for services that will scan your applications and administrator panel daily for basic vulnerabilities makes your app more secured. Examples of these popular services are the Nessus Vulnerability Scanner, Symantec Safe Site, and McAfee SECURE. Although these services do not cover up for most activities, they still give your application an additional line of security.
No. 3: Have Security Monitoring in Place
By using the “security information and event management” (SIEM) kit, your app and admin panel will be monitored for active attacks. Examples of the SIEM include Splunk, AlienVault, and HP Arcsight.
No. 4: Hire a Hacker
One of the most popular professions these days is “white hat” or “ethical hacking” and there are many firms out there. Though this is not cheap, but in case you have the capacity, consider hiring an ethical hacker to investigate your application and network for vulnerability. Before hiring, ensure you check the qualifications of the company, years of experience as well as customer feedbacks. Verifying these are more important than fancy certifications which do not necessarily show the person’s level of technical abilities or professionalism.
No. 5: Check for Blacklisting
Checking through the popular blacklist registers to verify if your application or administrative website has been flagged is also a good idea. This is obviously an additional way to confirm if your website is being used by hackers. More so, this will help you ascertain if the search engines are flagging your application as malicious. Some of the sites where you can check your site include Blacklist.org, MXToolbox.com, and WhatismyIPaddress.com.
In order to protect the end user privacy, many applications moved to the SSL by default for all traffic which may render visibility challenging. Nonetheless, this sensitive security control can also be advantageous for attackers who are fully aware that they can hide their attacks from security solutions that are not inline and are not capable of screening traffic in an encrypted tunnel. The fact remains that you can’t protect what you can’t see. This invariably means that enterprises should seek solutions that are capable of inspecting traffic even when SSL encrypted, without prejudice to the device or location.
Although not compulsory, watering hole attacks have more possibilities of using previously unseen exploits and tactics. Due to this, signature-based approaches does not guarantee effectiveness as they depend on advanced threat protection such as behavioral analysis which has lots of potential of detecting the so-called zero-day threats
It is imperative that organizations completely review all traffic, even when it comes from an untrusted source.