WATER HOLE ATTACKS
A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment.
The name watering hole attack is inspired by predators in the natural world who lurk near watering holes, looking for opportunities to attack desired prey. In a watering hole attack, the predator lurks near niche websites popular with the target prey, looking for opportunities to infect the websites with malware or malvertisements that will make the target vulnerable.
Watering hole attacks, which tend to focus on legitimate, popular websites, are a derivative of pivot attacks, which target one thing to get at another. In a watering hole attack, the attacker first profiles its targets -- who are typically employees of large enterprises, human rights groups or government offices -- to determine the type of websites they frequent. The attacker then looks for vulnerabilities in the websites and injects malicious JavaScript or HTML code that redirects the target to a separate site where the malware is hosted. This compromised website is now ready to infect the target with the injected malware upon access.
HOW IT IS PERFORMED??
Simple idea: If I can't make you go to a dangerous place, I check the "safe" places you go to and make one of them dangerous.
Attackers often spread malware by compromising websites and uploading malicious scripts to infect visitors (e.g. injecting a Flash exploit on a famous news site) - this is rarely a targeted attack. But in a watering hole attack, the adversary carefully chooses a specific website that they know their victim or group of victims visit frequently. So even if they are trained to not click on any untrusted links or to open unknown email attachments they will still eventually visit the website and get infected anyways. This way the attacker doesn't need to have the usual interaction with the victim, like sending out emails with dangerous links.
A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment.
The name watering hole attack is inspired by predators in the natural world who lurk near watering holes, looking for opportunities to attack desired prey. In a watering hole attack, the predator lurks near niche websites popular with the target prey, looking for opportunities to infect the websites with malware or malvertisements that will make the target vulnerable.
Watering hole attacks, which tend to focus on legitimate, popular websites, are a derivative of pivot attacks, which target one thing to get at another. In a watering hole attack, the attacker first profiles its targets -- who are typically employees of large enterprises, human rights groups or government offices -- to determine the type of websites they frequent. The attacker then looks for vulnerabilities in the websites and injects malicious JavaScript or HTML code that redirects the target to a separate site where the malware is hosted. This compromised website is now ready to infect the target with the injected malware upon access.
HOW IT IS PERFORMED??
Simple idea: If I can't make you go to a dangerous place, I check the "safe" places you go to and make one of them dangerous.
Attackers often spread malware by compromising websites and uploading malicious scripts to infect visitors (e.g. injecting a Flash exploit on a famous news site) - this is rarely a targeted attack. But in a watering hole attack, the adversary carefully chooses a specific website that they know their victim or group of victims visit frequently. So even if they are trained to not click on any untrusted links or to open unknown email attachments they will still eventually visit the website and get infected anyways. This way the attacker doesn't need to have the usual interaction with the victim, like sending out emails with dangerous links.
Post a Comment