Watering Hole Attacks: The Tainted Oasis

Josh Henry


Watering Hole Attacks: The Tainted Oasis

Watering hole attacks are still wreaking havoc on targeted groups and institutions around the globe. These attacks target major corporations and financial institutions. However, now they are penetrating these corporations’ servers by trapping a single user.

The Name

In the wild, there are many predators that lurk in the shadows of an oasis or watering hole awaiting their prey. This generally describes the basic idea of this form of attack. Attackers find where the prey is and wait for the opportune moment.

Predatory Predictions

Firstly, the malicious actor must find the watering hole. They will do their research to locate a particular website that their target frequently visits. Then the website or websites become the target. By installing malware to the website they infect the intended target. This allows the malware to then spread throughout the user’s organization.

Servers in Distress

A recent example of this form of attack is the NotPetya malware. This was an attack on the Ukrainian government that, according to the CIA, was performed by the Russian military.  In June 2017, a mock ransomware virus wiped the information from computers of banks, energy firms, senior government officials and an airport.

Somebody Poisoned the Water Hole

An investigation found the NotPetya virus on a Ukrainian site that delivered tax and accounting software. For context, the main narrative is that this was an attack to disrupt the financial system in Ukraine. A Windows Utility was the subject of a watering hole incident shortly after. The PC cleaning software CCleaner version 5.33.6162 was used as a distribution vehicle to effect 2.27 million computers.

Pick your Poison

Watering Hole attacks such as NotPetya are simple disruption tactics. The CCleaner attack was an intel theft scheme targeting major tech firms. Once the investigation took place, it became apparent this thief chose to target and copy certain areas of the network. These copies were then sent back to the malicious actors.

Distasteful Anecdote

This form of attacks causes a massive challenge to users for prevention and safeguarding. The conclusion is to treat all third party traffic as untrustworthy. Malicious actors target trusted file sharing sites and post to social media with contaminated links. Additionally, these malicious actors target popular sites such as Google. Always be mindful and do not get caught at the wrong watering hole.


Tags: , , , ,

Leave a Comment