If can attacker can’t get into your network, then they’ll wait for you to come out. In this video, you’ll learn how watering hole attacks can be used to attack a company outside of their own network.
In previous videos, we’ve talked about how easy it would be to gain access to someone’s network by leaving USB keys around their parking lot, hoping that somebody picks one up on the way into the office and plugs it into their computer once they get to their desk. But what if your employees are so well-trained that a USB key in a parking lot is not going to be plugged in? And they’re going to prevent any type of access from the outside. You’ve done such a good job at training your employees that they’re not going to click links inside of their emails either. And they’re not going to run any type of attachments that may come with any of the messages.
So instead of the attacker trying to get inside of your network, they’ll instead, try to gain access to the system that you will access later on. We refer to this as a watering hole attack. That means the attacker will poison the watering hole and simply wait for you to visit.
This obviously requires for the attacker to do a little bit of research. They need to understand what third party sites your organization might visit, and then try to find a way into that third party site. This might be something that your employees do every day. For example, they might submit orders on a website for a local coffee shop or sandwich shop. And if the attacker can gain access to the sandwich shop web server, they could potentially infect your company.
Of course, this would require that there be some type of vulnerability associated with that third party website. Or maybe they’re sending email attachments to the sandwich shop, hoping the sandwich shop clicks on it so they can gain access to their network, and then ultimately gain access to your network. As part of this watering hole attack, the attacker may be poisoning all of the water for everyone who visits this particular website. But of course, they know that eventually, your organization will visit this sandwich shop website. And that’s the one connection that they’re interested in pursuing.
Here’s a good example of a watering hole attack being used. This occurred in January of 2017. And the attackers were successful in poisoning the water in the Polish Financial Supervision Authority, the National Banking and Stock Commission of Mexico, and the state-owned bank in Uruguay. Once these sites were exploited, they added malicious JavaScript files to the web server. But they were very specific on who they were trying to infect.
In fact, they did not poison the entire water, but only a section of the water, only IP addresses that were associated with particular financial organizations. And banks would receive these malicious JavaScript files. Everyone else who visited these sites saw the normal site with no malicious code.
Unfortunately, the results of this watering hole attack were never made public. So we’re not sure if the attackers ever eventually got the access they were hoping to find from these third party sites. But we do know that they infected quite a number of sites through this watering hole attack.
There’s not any one thing that can help prevent a watering hole attack. You need to have a layered defense, or what we call in the industry as defense in depth. This means that you might have antivirus, a firewall, an intrusion prevention system, and multiple layers of security, so that if one device doesn’t recognize something malicious, perhaps one of these other layers certainly will.
This is why we often see firewalls and intrusion prevention systems often bundled together. The firewall might allow this traffic through. But once the traffic gets to the IPS, it will recognize that the contents of that network traffic are indeed malicious.
And in the case of the malicious software that was running on the Polish Financial Supervision Authority, anyone who visited that site with those specific IP addresses and was using Symantec’s antivirus software would receive a message saying that it recognized malicious code. And it would stop that from executing on an individual’s computer. By putting these multiple layers of security in place, you’re increasing the odds that you might recognize and block any of this malicious software.