A watering hole attack, as the name suggests, is a cyberattack involving a place that is frequently visited. A threat actor uses a website that is often visited by the targeted business or individual and malware is loaded to that site and will be inadvertently downloaded or executed when a user lands on the site. The website is usually compromised by exploiting an unpatched vulnerability or by obtaining website administrator credentials.

These attacks are often conducted by Advanced Persistent Threat (APT) actors in cyber espionage campaigns and one such campaign has recently been detected that has been attributed to the Chinese APT group tracked as TA423 which delivers the JavaScript-based reconnaissance tool, ScanBox. The campaign targets offshore energy firms that operate in the South China Sea.

While watering hole attacks often see malware written to disk, this campaign is different as ScanBox is executed in the web browser and requires no malware to be downloaded. Once executed, ScanBox logs keystrokes and records all activity on the infected website, including any passwords that are entered. As is often the case with these watering hole attacks, the user is directed to the website via a phishing email. In this campaign targeted individuals receive messages requesting collaboration that appear to have been sent by an Australian media organization – the fictional Australian Morning News. The website to which the user is directed includes news content that has been scraped from legitimate news outlets and landing on the site will see the user served with the ScanBox framework, which is used for reconnaissance and browser fingerprinting.

In addition to collecting information about the browser, operating system, extensions, and plugins, that attack sets up interactive connectivity establishment (ICE) communications with STUN servers, allowing communication with victim devices without having to go through network address translator (NAT) gateways and firewalls.

Watering hole attacks have been conducted by a range of different APT groups and these attacks have been the initial access vector of choice for Iranian threat actors for several years. Earlier this year, a campaign was detected that targeted Israeli websites and attempted to collect data from logistics companies involved with shipping and healthcare, and attempted to deliver malware that provided persistent access to victim devices.

Watering hole attacks can also be conducted by cybercriminal groups for distributing malware and one such campaign was recently detected that targets law firms with the goal of delivering Gootloader malware, a first-stage malware loader that can be used for delivering a variety of malware payloads. Rather than using phishing emails to drive traffic to a malicious site, compromised WordPress websites were used. Once access to the websites was gained, the threat actors used search engine optimization (SEO) techniques targeting specific search terms that are likely to be used by law firms. The SEO techniques used ensured that the malicious websites appeared high in the search engine listings for searches for legal information online, especially legal contact templates.

Defending against watering hole attacks requires a defense in-depth strategy that includes end-user security awareness training, web filtering to block access to known malicious websites, endpoint detection software, and spam filters. TitanHQ can help by providing several of these layers, including the SafeTitan security awareness training and phishing simulation platform, the WebTitan DNS-based web filter, and SpamTitan email security.

For more information, give the TitanHQ team a call. Product demonstrations can be arranged on request, and all TitanHQ cybersecurity solutions are available on a no-obligation, 100% free trial.