Watering hole attacks: how APT and cyber criminals infiltrate secure infrastructures

My first encounter with the world of cyber-criminals occurred through a watering hole attack campaign many years ago. I visited a Persian website and discovered that it was downloading malware onto visitors’ browsers. I promptly contacted the site administrator, who informed me that they had no technical knowledge of the issue. It became apparent that they were using an outdated CMS with well-known security vulnerabilities, which criminals were exploiting to target specific audiences and spread malware.

Watering hole attacks are some of the methods favored by cyber criminals and advanced persistent threat (APTs). In these attacks, cybercriminals use a tactic called “strategic web compromise” (SWC) to gain access to the victim’s organization’s network. By identifying websites frequently visited by target users, an attacker can infect those websites with malware and download it to an unsuspecting users’ device.

Malware used in watering hole attacks is designed to evade detection and remain undetected on the target’s device, giving attackers continuous access to sensitive information. This type of attack is of particular concern because it can go undetected for long periods of time, allowing attackers to gather sensitive information over time.

One type of commonly used malware in watering hole attacks is polymorphic malware. Polymorphic malware is a type of malicious software designed to constantly change its code and appearance in order to avoid detection by antivirus software and other security measures. This type of malware is particularly dangerous as it can mutate itself into many different forms, making it difficult for traditional antivirus/ anti-malware software to detect and remove it. Polymorphic malware can change its appearance using a variety of methods, including encryption, compression, and randomization.

Watering hole attacks are especially dangerous for small businesses, as they are often targeted due to weaker security measures compared to larger enterprises. However, even large organizations and government agencies have fallen victim to water hole attacks.

Below are some steps you can take to reduce your risk of becoming a victim of this type of attacks:

1. Use web filtering: web filtering tools can block access to malicious or unknown websites and webpages. This prevents users from accidentally downloading malware from the watering hole.
2. Use next-generation antivirus (NGAV): NGAV solutions use advanced detection techniques such as machine learning algorithms and behavioral analytics to identify and respond to new and previously unknown threats.
3. Implement endpoint detection and response (EDR): EDR solutions monitor endpoints such as laptops and desktops for suspicious behavior and can respond to threats in real time.
4. Implement Network-based detection and response (NDR): NDR solutions monitor network traffic for suspicious activity and can detect and respond to threats that traditional antivirus solutions may miss.
5. Employ threat intelligence: Threat intelligence services can provide information about emerging threats, including polymorphic malware. You can use this information to identify potential threats and take appropriate action to protect your network
6. Implement a zero trust network: A zero trust network is a security model that assumes that every user and device on the network is a potential threat. Users must be authenticated before accessing resources on the network, and access is restricted to what is necessary.
7. Use network segmentation: Network segmentation helps separate critical systems and sensitive data from the rest of the network. This prevents malware from spreading in the event of a successful attack.