Jump to content

Watering hole attack: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m Duplicate word removed
Line 1: Line 1:
{{about|computer hacking and cracking|a place to obtain alcoholic potables|pub|other uses|Waterhole (disambiguation)}}
{{about|computer hacking and cracking|a place to obtain alcoholic potables|pub|other uses|Waterhole (disambiguation)}}


'''Watering hole''' is a [[Attack (computing)|computer attack]] strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with [[malware]]. Eventually, some member of the targeted group gets infected.<ref name=Gradigo2012>{{cite web|last1=Gragido|first1=Will|title=Lions at the Watering Hole – The "VOHO" Affair|url=https://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/|website=The RSA Blog|publisher=[[EMC Corporation]]|date=20 July 2012}}</ref><ref name=HaasterGeversSprengers2016>{{Cite book|url=https://books.google.com/books?id=DDiOCgAAQBAJ&pg=PA57&lpg=PA57&dq=Cyber+Guerilla+%22watering+hole%22&source=bl&ots=4-Qi6Y7UMl&sig=vnz-S0guT0QKc8GaSbX-4fRfXMA&hl=en&sa=X&ved=0ahUKEwiH4pebp-PSAhVGu7wKHeT6CacQ6AEIHzAB#v=onepage&q=Cyber%20Guerilla%20%22watering%20hole%22&f=false|title=Cyber Guerilla|last=Haaster|first=Jelle Van|last2=Gevers|first2=Rickey|last3=Sprengers|first3=Martijn|date=2016-06-13|publisher=Syngress|year=|isbn=9780128052846|location=|page=57|pages=|language=en}}</ref><ref name=Miller2014>{{Cite book|url=https://books.google.com/books?id=VBuDBAAAQBAJ&pg=PA123&lpg=PA123&dq=Internet+Technologies+and+Information+Services,+2nd+Edition+(watering+hole)&source=bl&ots=MyNRE-2QEk&sig=VhkcYMkRcQWXFXB1cBY5xITX8ug&hl=en&sa=X&ved=0ahUKEwiTmLyhp-PSAhUMEbwKHUXHBDAQ6AEIOzAB#v=onepage&q=Internet%20Technologies%20and%20Information%20Services%2C%202nd%20Edition%20(watering%20hole)&f=false|title=Internet Technologies and Information Services, 2nd Edition|last=Miller|first=Joseph B.|date=2014-08-26|publisher=ABC-CLIO|year=|isbn=9781610698863|location=|page=123|pages=|language=en}}</ref> The malware used in these attacks typically collects information on the user. Hacks looking for specific information may only attack users coming from a specific [[IP address]]. This also makes the hacks harder to detect and research.<ref name=":1">Symantec. Internet Security Threat Report, April 2016, p. 38 https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf</ref> The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.<ref>{{Cite news|url=http://searchsecurity.techtarget.com/definition/watering-hole-attack|title=What is watering hole attack?|last=Rouse|first=Margaret|date=|work=SearchSecurity|access-date=2017-04-03|archive-url=|archive-date=|dead-url=|language=en-US}}</ref>
'''Watering hole''' is a [[Attack (computing)|computer attack]] strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with [[malware]]. Eventually, some member of the targeted group gets infected.<ref name=Gradigo2012>{{cite web|last1=Gragido|first1=Will|title=Lions at the Watering Hole – The "VOHO" Affair|url=https://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/|website=The RSA Blog|publisher=[[EMC Corporation]]|date=20 July 2012}}</ref><ref name=HaasterGeversSprengers2016>{{Cite book|url=https://books.google.com/books?id=DDiOCgAAQBAJ&pg=PA57&lpg=PA57&dq=Cyber+Guerilla+%22watering+hole%22&source=bl&ots=4-Qi6Y7UMl&sig=vnz-S0guT0QKc8GaSbX-4fRfXMA&hl=en&sa=X&ved=0ahUKEwiH4pebp-PSAhVGu7wKHeT6CacQ6AEIHzAB#v=onepage&q=Cyber%20Guerilla%20%22watering%20hole%22&f=false|title=Cyber Guerilla|last=Haaster|first=Jelle Van|last2=Gevers|first2=Rickey|last3=Sprengers|first3=Martijn|date=2016-06-13|publisher=Syngress|year=|isbn=9780128052846|location=|page=57|pages=|language=en}}</ref><ref name=Miller2014>{{Cite book|url=https://books.google.com/books?id=VBuDBAAAQBAJ&pg=PA123&lpg=PA123&dq=Internet+Technologies+and+Information+Services,+2nd+Edition+(watering+hole)&source=bl&ots=MyNRE-2QEk&sig=VhkcYMkRcQWXFXB1cBY5xITX8ug&hl=en&sa=X&ved=0ahUKEwiTmLyhp-PSAhUMEbwKHUXHBDAQ6AEIOzAB#v=onepage&q=Internet%20Technologies%20and%20Information%20Services%2C%202nd%20Edition%20(watering%20hole)&f=false|title=Internet Technologies and Information Services, 2nd Edition|last=Miller|first=Joseph B.|date=2014-08-26|publisher=ABC-CLIO|year=|isbn=9781610698863|location=|page=123|pages=|language=en}}</ref> The malware used in these attacks typically collects information on the user. <ref>{{Cite web|url=https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage|title=Threat Group-3390 Targets Organizations for Cyberespionage|last=Intelligence|first=SecureWorks Counter Threat Unit Threat|website=www.secureworks.com|language=en|access-date=2017-10-23}}</ref>Hacks looking for specific information may only attack users coming from a specific [[IP address]]. This also makes the hacks harder to detect and research.<ref name=":1">Symantec. Internet Security Threat Report, April 2016, p. 38 https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf</ref> The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.<ref>{{Cite news|url=http://searchsecurity.techtarget.com/definition/watering-hole-attack|title=What is watering hole attack?|last=Rouse|first=Margaret|date=|work=SearchSecurity|access-date=2017-04-03|archive-url=|archive-date=|dead-url=|language=en-US}}</ref>


Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to [[spear phishing]] and other forms of [[phishing]].<ref name=Sudhanshu2017>{{Cite web|url=https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/02/06/watering-hole-attack-sophisticated-alternate-spear-phishing-attack|title=Watering Hole Attack- A Sophisticated Alternate to Spear Phishing Attack {{!}} Cyber Security Community|website=securitycommunity.tcs.com|access-date=2017-04-02}}</ref>
Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to [[spear phishing]] and other forms of [[phishing]].<ref name=Sudhanshu2017>{{Cite web|url=https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/02/06/watering-hole-attack-sophisticated-alternate-spear-phishing-attack|title=Watering Hole Attack- A Sophisticated Alternate to Spear Phishing Attack {{!}} Cyber Security Community|website=securitycommunity.tcs.com|access-date=2017-04-02}}</ref>

Revision as of 14:09, 23 October 2017

This article is about computer hacking and cracking. For a place to obtain alcoholic potables, see pub. For other uses, see Waterhole (disambiguation).

Watering hole is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.[1][2][3] The malware used in these attacks typically collects information on the user. [4]Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research.[5] The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.[6]

Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to spear phishing and other forms of phishing.[7]

Defense techniques

Websites are often infected through zero-day vulnerabilities on browsers or other software.[5] A defense against known vulnerabilities is to apply latest software patchs to remove the vulnerability that caused site to be infected.[7] This is assisted by users monitoring to ensure that all of their software is up-to-date with the latest version of their software. An additional defense is for companies to monitor their websites and networks and then block traffic if malicious content is detected.[8]

Examples

2012 US Council on Foreign Relations

In December 2012, the Council on Foreign Relations website was found to be infected with malware through a zero-day vulnerability in Microsoft's Internet Explorer. In this attack, the malware was only deployed to users using Internet Explorer set to English, Chinese, Japanese, Korean and Russian.[9]

2013 US Department of Labor

In early 2013, attackers used the United States Department of Labor website to gather information on users' information. This attack specifically targeted users visiting pages with nuclear-related content.[10]

2016 Polish banks

In late 2016, a Polish bank discovered malware on computers belonging to the institution. It is believed that the source of this malware was the web server of the Polish Financial Supervision Authority.[11] There have been no reports on any financial losses as a result of this hack.[11]

2017 ExPetr Attack

June 2017 NotPetya a.k.a, ExPetr wiper malware attack is believed to have originated in Ukraine. A Ukrainian government website was compromised and infected with malware that was downloaded by users of the government site. The malware erases victims' hard drives.[12]

2017 Ccleaner attack

From August to September 2017 the installation binary of Ccleaner distributed by the vendor's download servers included malware. Ccleaner is a popular tool used to clean potentially unwanted files from Windows computers, widely used by security-minded users. The distributed installer binaries were signed with the developer's certificate making it likely that an attacker compromised the development or build environment and used this to insert malware.[13][14]

References

  1. ^ Gragido, Will (20 July 2012). "Lions at the Watering Hole – The "VOHO" Affair". The RSA Blog. EMC Corporation.
  2. ^ Haaster, Jelle Van; Gevers, Rickey; Sprengers, Martijn (2016-06-13). Cyber Guerilla. Syngress. p. 57. ISBN 9780128052846.
  3. ^ Miller, Joseph B. (2014-08-26). Internet Technologies and Information Services, 2nd Edition. ABC-CLIO. p. 123. ISBN 9781610698863.
  4. ^ Intelligence, SecureWorks Counter Threat Unit Threat. "Threat Group-3390 Targets Organizations for Cyberespionage". www.secureworks.com. Retrieved 2017-10-23.
  5. ^ a b Symantec. Internet Security Threat Report, April 2016, p. 38 https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
  6. ^ Rouse, Margaret. "What is watering hole attack?". SearchSecurity. Retrieved 2017-04-03. {{cite news}}: Cite has empty unknown parameter: |dead-url= (help)
  7. ^ a b "Watering Hole Attack- A Sophisticated Alternate to Spear Phishing Attack | Cyber Security Community". securitycommunity.tcs.com. Retrieved 2017-04-02.
  8. ^ Grimes, Roger A. "Watch out for waterhole attacks -- hackers' latest stealth weapon". InfoWorld. Retrieved 2017-04-03.
  9. ^ "Council on Foreign Relations Website Hit by Watering Hole Attack, IE Zero-Day Exploit". Threatpost | The first stop for security news. 2012-12-29. Retrieved 2017-04-02.
  10. ^ "Department of Labor Watering Hole Attack Confirmed to be 0-Day with Possible Advanced Reconnaissance Capabilities". blogs@Cisco - Cisco Blogs. Retrieved 2017-04-03.
  11. ^ a b "Attackers target dozens of global banks with new malware". Symantec Security Response. Retrieved 2017-04-02.
  12. ^ https://threatpost.com/researchers-find-blackenergy-apt-links-in-expetr-code/126662/
  13. ^ "CCleanup: A Vast Number of Machines at Risk". blogs@Cisco - Cisco Blogs. Retrieved 2017-09-19.
  14. ^ "Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users". blogs@Piriform - Piriform Blogs. Retrieved 2017-09-19.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Watering_hole_attack&oldid=806676706"