From time to time the media reports on “huge” hacker campaigns targeting specific companies. Often a buzz word comes up naming the attack strategy – they were hit by a Watering Hole Attack. No further mentions of what it means was ever given.
The term Watering Hole Attack means to start an attack against a target by hitting it by utilizing a third part instead of going for a direct attack. Think of it like a shitty teen romance TV show where one of the popular girls has her hots on for a particular guy and uses his friends to get to him (excuse me for being cheesy). This attack exploits human behavior (it’s human to err after all) and to exploit technology at the same time.
Anyways. Watering Hole Attack was first mentioned, according to Wikipedia, back in 2012 by the RSA security firm. Hollywood, though, has been handling this topic in their shitty romantic and detective pulp movies since forever.
How does it work?
An important keyword in Watering Hole Attack is reconnaissance. I briefly mentioned it in my post “Penetration testing and use of methods, part one“. Knowledge is power and that is what we are going to exploit today. For this example we are indirectly targeting a cool tech start-up company “CoolTech”.
- In order to attack indirectly we have to be sneaky about our ways. We need to find a way to indirectly affect the target. Browsing the social media, Twitter for instance, we see CoolTech often tweets content from a well-known web design blog (CrayonsRus). Uh, we’ve just done reconnaissance by figuring this one out. We basically found a third part we could piggy back in on.
- Heading over to CrayonsRus we start find out how we can use this site to drop malware or an exploit. Luckily, the site has a security hole we can use. We plant an exploit or malware and just sit back and watch for things to happen. Our intention is not to spread our payload to a wide mass. Sometimes it just happens – we may discard false targets entirely – or not.
- When an employee from CoolTech visits the CrayonsRus the malware or exploit get dropped to the target. We’re done and can start having fun.
A while back ago I was in a job interview and I were asked to explain the Watering Hole Attack. Okay and so I did restating what I’ve learned in a websec class some months earlier. The interviewer looked at me as if I was crazy and I instantly felt something went wrong. I had mentioned that, besides the scenario described above, you could use this kind of attack by spreading out infected USB devices in a restaurant the victim often eats at. Some reconnaissance had to be done to figure out which restaurant and which OS platform they were using. In my mind the restaurant would be the third part I could use to drop my malware. Uh – they left me with an impression I was dumb. But still today I believe that this scenario is usefull because of a news story I read some couple of weeks ago.
The story was about a Norwegian woman holding a presentation in a foreign country. Her PowerPoint presentation were on a USB key since she could not bring her own laptop along with her to the presentation. When she came home again and plugged that USB key into her laptop the laptop became instantly effected. If an attacker knew that the venue computer was easily exploitable and he also knew she represented a very interesting target – wouldn’t this be a very, very safe way to infect her and to get hold of valuable information?