What is a watering hole attack, and how does it work?

Watering hole attack infects a legitimate website or service their targets use. It exploits flaws both in the exploited websites and main targets’ systems. 

The term watering hole attack comes from the idea of infecting a water source that attracts the potential prey. 

Furthermore, the attack rejects the need to trick someone, like deceiving victims into clicking on malicious links. Instead, it relies on the natural flow of website visitors that unknowingly compromise their systems. 

Understanding the watering hole attacks 

Watering hole attacks figure out which services or websites targeted groups engage or use regularly. Then, the perpetrators embed malicious software or components into the compromised website. 

Building on this definition, it resembles a broader term known as supply chain attacks. These hacks also target their victims indirectly, likely through partners or software providers. 

However, the attack cannot operate without exploiting software flaws on victims’ systems. Frequently, hackers will use a chain of vulnerabilities to launch targeted attacks. 

Commonly, watering hole attacks are possible due to zero-day flaws, unreported bugs in software. 

How common watering hole attacks are in the wild 

Multiple threat analysis researchers have reported watering hole attacks in the last few years. The most recent website infected with malware distributed ScanBox, acting as a keylogger. 

So, the watering hole attack is a threat, but its secretive operation might make it difficult to detect. Thus, more unknown campaigns could exploit compromised websites to gain access to targets’ devices. 

How the watering hole attack works 

It is possible to break down the watering hole attack into several steps: 

1. Hackers find their target victims, likely general groups or organizations. For instance, an attack might aim to compromise users for certain backgrounds or locations.
2. Perpetrators find a website that the targeted users or companies visit regularly. Then, they aim to find flaws and bugs on the website. 
3. Thanks to detected vulnerabilities, attackers can infect the website with malicious software. 
4. Remember that website owners are unlikely to know about the dangerous additions. 
5. The malware secretly compromises victims’s devices, likely exploiting outdated operating systems or software like browsers. 
6. The main goal of the watering hole attack differs, but it could install backdoors and keyloggers. A previous incident targeting citizens of Hong Kong allowed hackers to gain access and record audio, capture screen, and download files. 

A probable reason for the popularity of a watering hole attack is its covert operation and difficult detection. Therefore, malicious campaigns could last for months or even years. 

Who can become targets of watering hole attacks 

As mentioned, the first stage of a watering hole attack refers to preparation. These hacks can aim at compromising a country, organization, or group. The usual flow of the operation passes similar stages: 

1. Attackers need to observe their targets’ behavior online. It can be a website or a service that the targeted group visits. 
2. Perpetrators choose the regularly visited website as the watering hole and poisons its resources. 
3. Usually, a watering hole attack targeting particular groups aims at entities that are difficult to compromise directly. Attackers chose the indirect approach when exploiting the Montreal-based International Civil Aviation Organization to infect the United Nations network. 

Opportunistic watering hole attacks can be random, without identifying particular targets. For instance, a popular shop for ecommerce could be the website to compromise if it contains exploitable flaws. 

However, the attackers won’t have a clear idea for who their intended target is. 

Reported watering hole attacks

In 2022, a watering hole attack has targeted users and organizations on multiple occasions. A fake yet fully functional Google Translate app for Windows exploited software distribution sites. The attack aimed at distributing a crypto-mining infection. 

A more unique watering hole technique emerged when a flawed WordPress-run site pushed fake Chrome updates. 

Preventing watering hole attacks 

To avoid watering hole attacks, following the common cybersecurity tips might not be enough. Differently from social engineering, this threat might not require users’ conscious interaction. Instead, it might be enough to visit a compromised website. 

However, some techniques can make your device more resistant to a sneaky watering hole attack: 

• Updating operating systems and software is key to combating watering hole attacks. If your devices run the latest versions, hackers will not exploit previously patched flaws. 
• Install antivirus software that can detect malware based on particular suspicious behavior. 
• Cloud browsers could become a way to combat many web threats, including phishing, redirects, fake ads, or drive-by downloads.  

Short recap of the watering hole attack

A watering hole attack is an indirect attempt to gain access to victims’ systems through websites they visit. Usually, it does not target a particular individual or organization, but groups of targets based on their position, interests, or location. 

Preventing watering hole attacks boils down to how frequently victims update their devices and systems. If operating systems and software gets patches regularly, it closes many cybersecurity gaps. However, owners of legitimate websites should also explore options for preventing watering hole malware campaigns.