watering hole attack (noun)

Transcript

Rick Howard: The word is: watering hole attack.

Rick Howard: Spelled: Watering hole for a common place together and attacks for setting upon in a hostile way.

Rick Howard: Definition: From the intrusion kill chain model, a technique where the hacker compromises sites commonly visited by members of a targeted community in order to deliver a malicious payload to the intended victim.

Rick Howard: Example sentence: That site was a watering hole. Anyone who went there caught a case of NotPetya.

Rick Howard: Origin and context: The RSA Advanced Threat Intelligence Team coined the term "watering hole" in 2012.

Inspiration came from how animal predators lurk near watering holes, looking for the chance to attack their prey. In the digital world, instead of launching a campaign straight at a specific victim, the adversary group compromises a website that the prospective victim is likely to use. Once the "prey" visits the digital watering hole, the adversaries deliver their malware to their victim with the infection hidden in the normal back and forth of web transactions.

Since 2012, watering hole attacks have become a staple for attack campaigns. One recent attack was chronicled by the website Lastline in 2019. Security firm ESET discovered a watering hole attack in March of that year, targeting the International Civil Aviation Organization, or ICAO, a United Nations agency that promotes air navigation and transport around the world. The advisory group LuckyMouse had compromised ICAO's website three years earlier. Because of the watering hole delivery method, LuckyMouse was able to compromise at least two servers, as well as accounts for the mail servers, domain and system administrators.

Rick Howard: Nerd Reference: In the Darknet Diaries podcast episode published on 5 January 2021, the host Jack Rhysider interviewed Dustin Childs and Brian Gorenc from ZDI about the latest Pwn2Own contest. Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference and the mechanism the contest uses to demonstrate successful attacks is a watering hole styled attack.

Jack Rhysider: The Pwn2Own contest for the next few years was just for Web browsers, Chrome, Firefox, IE, Safari, and they announced the contest rules, the browsers would be fully updated on the latest patches. The contestant needs to exploit a bug in the browser and try to take over the [victim’s] computer. And the only interaction the user has to do is browse to the attackers website.

Brian Gorenc: We actually have rules in the contest that require that exploit work without any user interaction. Once you hit the website, the [victim] machine is compromised and you know, the attacker's shell code is executing.

Jack Rhysider: That gives me chills just thinking about it, because I always assumed I just go and as long as I don't click on ‘are you sure you want to run this thing?’ Or, you know, there's a little padlock on top, like there's all these little things I look for when I'm going to shady looking websites. But now you're telling me it's possible that even if all that I could still be pwned.

Dustin Childs: That's correct.

Brian Gorenc: 100%.

HOST(S):

Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.

Schedule: Tuesdays

Creator: CyberWire, Inc.