Cyber-attack strategy – WATERING HOLE

Cyber-attack strategy – WATERING HOLE

Nowadays cybercriminal develops a new strategy for cyber-attack known as “watering hole”. Cybercriminals again prove that they are one step ahead – no security method or procedure can stop them. They are so skilled that they can get any information.

In watering hole attack, hacker leverages cloud services to help in accessing the most secure government agencies and private enterprisers also.

Talking about PAST :

In earlier days, attacker using the email which is bad worded or like “I LOVE U” or getting wealth /lottery. Attackers target the individuals of a specific company through phishing attack so that they can access the company critical information. These specific  targeted individuals helps in navigate the organization employees hierarchy  or  identify  digital certificate compromises  that leads to access and gives control  over  the  organization infrastructure.

NOWADAYS:

Nowadays employees are aware so they discard the email. The most sophisticated type of attack is hitting the enterprise through “Watering Hole Attack”. In this attack, attacker insert the malicious code in the site that company trust. For this they stalk an employee or group in order to insert malicious code in company.

How to find TRUST sites::

To insert the malicious code in the most visited sites like yahoo, espn.com or cnn.com is very tough because they are less vulnerable. So insert the code into less secure site which mostly frequented by employees of targeted company.

Attacker find the most frequent site by automated tracking methods used by marketing and ad tracking services when employees surfs internet from their  company. This method helps in identifying the traffic patterns and access.  These tracking services are mapping the web pattern behavioral of the organization. This indicates which sites employees frequently visited. This information helps the attacker to deduce the organization browsing history and cloud services access policies. In other words, it tells an attacker about which watering hole you let your employees visit.

WAIT!!

The attacker plants the malicious code in watering hole site. They also insert the code in less secure blogs and the most vulnerable sites. They wait for the users to visit the frequently visited sites in past. When user visits the sites, the malicious code redirects the user’s browser to malicious sites and user’s machine can be assessed for vulnerabilities. The probability of success is usually high because attacker uses the tracking services’ data to confirm that traffic to sites is allowed and frequent.

After in TRAP-- Ready for real attack::

When user steps in trap, then attacker start assessing for vulnerabilities and exploits. When user visits the watering hole, a small piece of code is downloaded in the background automatically so there is no need to click or download any code or file. This is possible by drive -by downloading techniques. Once the code run, it searches for recently discovered exploits and zero -day vulnerabilities. Because there is a chance those users have not patched these exploits in Java, Internet Explorer, and Flash or Adobe reader. If attacker got success in finding the vulnerabilities /exploits and then depending on the user's access right, he can access sensitive and critical information of the company. The sensitive information means Internet protocol, customer’s information, employee’s data or financial data.