Are your remote working staff drinking at the waterhole?
Watering hole is a computer attack strategy, derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.
Attackers are increasingly exploiting ‘watering hole’ sites to conduct espionage attacks against a host of targets, across a variety of industries. The current COVID-19 climate has seen a surge of these sites.
In basic risk terms the victim can be a particular group (company, industry, or region). In this attack, the attacker guesses or observes which websites that group often uses infecting one or more of them with malware. Eventually, some member of the targeted group becomes infected after clicking on the malware hidden aspect of the website. The user does so on the basis that they have trust in the website/organisation.
As an example, in the case of the financial sector the attackers may attempt place malware on the website of the Financial Conduct Authority via a compromised server. Visitors/members visit the site as a very useful source of information. Clicking on an area of the website or downloading a document could install malware into their company IT network.
The malware may be delivered and installed without the target realising (called a ‘drive by’ attack), but given the trust the target is likely to have in the watering hole site, it can also be a file that a user will consciously download without realising what it really contains. Typically, the malware will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.
NotPetya – NotPetya malware, believed to have originated in Ukraine, compromised a Ukrainian government website. The attack was from users of the site downloading it via documents. The malware erased the contents of victims’ hard drives.
Polish banks – A Polish bank discovered malware on computers belonging to the institution. It is believed that the source of this malware was the web server of the Polish Financial Supervision Authority. There have been no reports on any financial losses as a result of this hack.
US Department of Labor – Attackers used the US Dept of Labor website to gather information on users’ information. This attack specifically targeted users visiting pages with nuclear-related content.
