Watering Hole Attacks

TrendMicro uses the recent “watering hole” attack on the CFR to point out that we’re only going to be seeing more of these. Watering hole attacks are sort of the inverse of spear phishing. Instead of targeting high-ranking people with carefully forged emails, the attacker targets those same people by compromising a place the targets are likely to visit.

This means a few things for the defense. Attackers seem to have hit a limit in the technical advancement of their tools (or at least a limit in what they’re willing to do publicly). As a result, they’re shifting R&D efforts to secondary elements like attack delivery, and learning to exploit human flaws as well as technical ones.

If a defender can develop a solid way to shut down the tools needed for these attacks, the attackers will be forced back to the drawing board — to develop in territory they’re starting to abandon as unfruitful.

Conversely, the evolving nature of attack scenarios means a good defense has to assume there will be exploitable blind spots, and design systems to counter them… before finding out what they are.


“Late last week, the Council of Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.[…]

My colleagues have discussed before that watering hole attacks are not new. In fact, usage of such technique was seen as early as 2009. At the same time, however, they also think that watering hole attacks will become more prevalent in the future, and will be used specifically for targeted attacks. But why?

A possible answer to that would be one of Raimund’s forecasts for 2013, wherein he said that attackers will focus more on improving how they deploy the threats, and not on the development of malware. Attackers will leverage on information that they can gather on their targets before conducting the attack, in order to come up with a more effective way to get to their targets.

If we look at how a watering hole attack works, we’ll see that the methods used are very much familiar to us. However, the strategic placing of the threat itself makes it threatening in a more different level than any other web compromise or 0-day attack, in the same way that a spear phishing email is more effective than the typical spam emails. Attackers are able to generate strong social engineering methods by leveraging their knowledge of their target’s profile, thus eliminating the need for creating very sophisticated tools. And this is something that users must fully realize, because the attackers are no longer just using software vulnerabilities, they’re also using the users themselves.”

%d bloggers like this: