Monday 28 December 2015
First detected in 2013, watering-hole attacks are one of the newest (and arguably most sophisticated) security threats facing organisations.
By exploiting undetected vulnerabilities in websites and software applications, hackers can lie in wait for their target - before springing a malware-loaded trap on their unsuspecting victim, and compromising their secure systems.
What is a Watering-Hole Attack?
Unlike standard phishing attacks, watering-hole attacks are low-volume and highly-targeted, designed to create a backdoor for attackers to breach a target organisation:
Attackers first identify a vulnerable website that's regularly visited by employees of a target organisation.
- Malware is then used to infect the website.
- The attackers 'lie in wait' for employees of the target organisation to visit.
- Employees become infected with malware, and carry it back to their own secure systems - creating a security backdoor in the process.
By using watering-hole attacks in lieu of phishing, hackers can bypass increasingly sophisticated anti-phishing technology; and by infecting multiple members of the same organisation, secure systems can quickly become compromised.
Watering-Holes and Zero-Day Vulnerabilities :
Watering-hole attacks are particularly problematic because they infect legitimate, reputable websites - sites that most users would assume to be perfectly safe.
Worse still, watering-hole attacks often go undetected. By using zero-day vulnerabilities, attackers are able to discover and exploit new software vulnerabilities before the vendor is even aware of the problem, or able to issue a fix.
With an estimated 77% of public websites containing some form of exploitable vulnerability, and 16% containing 'critical' vulnerabilities (allowing attackers to compromise a visitor's computer), one in eight of the world's websites is susceptible to a watering-hole attack - making the problem extremely difficult for organisations to avoid.
Real-World Watering-Hole Attacks :
In November of last year, Chinese hackers were able to exploit zero-day vulnerabilities in Microsoft's Internet Explorer and Adobe's Flash Player to compromise the Forbes website.
The site was attacked because of the prevalence of senior executives and professionals using the website. As the COO of anti-malware company Invincea, Norm Laudermilch, noted: “This was clearly a targeted attack against a specific group of organizations” - with several high-profile defense and financial sector organizations successfully targeted as a result.
Defending Against Watering-Hole Attacks :
Watering-hole attacks are hard to recognise; and with so many of the world's websites vulnerable to these types of attacks, it simply isn't viable to prevent your employees from accessing potentially compromised websites.
Thankfully, watering-hole attacks are still a relatively uncommon phenomenon, and though they're growing in popularity, organisation-wide security awareness training is still a viable tool for minimising the likelihood of a successful attack.
If employees are able to recognise the hallmarks of suspicious software, links and websites, the chances of a successful malware infection can be reduced. Even in the event of a successful attack, the risks of serious data loss can be minimised, by ensuring employees understand the right procedures for reporting potential threats to IT and security teams.
