Related
Recommended

Waterholing – Targeted attacks Redefined!

yaagneshwaran
2 minute read time

Targeted attacks in general come with an intent to spy on confidential/sensitive business information such as financial information, proprietary product information and so on. Typically, a highly targeted attack like spear-phishing is targeted at an individual or an organization via emails that contain maliciously crafted executables.

Of late, we hear a lot about “waterholing” attacks which are becoming a preferred form of attack mainly because waterhole attacks are less-labor intensive. They do not socially engineer you into visiting a compromised site, rather they just need a compromised website in your area of interest (a waterhole), and they wait for you to fall prey in normal course of things.

How does the attack happen?

It is not a completely new-kind of attack and may be classified as a new APT-style of attack. Once there is a visitor to the waterhole, they are mostly likely to be redirected to a number of infected sites and thereby attempting to exploit the Microsoft XML Core Services or a Java exploit. In the case of the attack being successful, there are high chances that the visitor, the visitor would be infected with a version of Gh0st RAT. One of the key reasons for the attack being more successful is that most victims choose to visit a site driven by personal interest and in most cases there are no security precautions taken. RSA coined the term “water holing” after the infamous VOHO attack campaign that happened in July 2013.

Waterhole attacks expected to be on the rise

Based on several security reports, it is seen that the number of waterhole attacks has been continuously increasing over the last two years and is expected to increase further in 2014. To be really effective in network defence, and not just from a post-attack forensic analysis standpoint, you need to make sure that the security event data are analysed and correlated in real time. This means that you need to capture threats in real time, correlate them in-memory and respond to the attacks in a timely manner. It is ideal to start monitoring your logs for activities across your servers, firewalls and endpoints.

Organization need to more vigilant and ensure that measures are taken to identify malicious activities on your network. You also need a risk mitigation plan that automates the response the moment an anomaly is identified. You can opt for an SIEM tool that uses automated responses to respond to critical security events, and shuts down threats immediately.

Some key built-in responses that you might need for sure are:

  • Send incident alerts, emails, pop-up messages, or SNMP traps
  • Add or remove users from groups
  • Block an IP address
  • Kill processes by ID or name

Stay proactive, stay secure!!

  • Not much is 100% safe these days....

    I agree that reducing the risk is important.....awareness is the first step.  Look before you leap.

  • Identifying "safer" sites (Note I didn't say they 100% completely safe!) is one services that Anti-Virus companies attempt to provide.  How safe are you if you have a current subscription and updated A/V signatures and you go to a site that's listed as OK/Approved/Green by your A/V manufacturer?

    Probably safer than one they say is "unknown" or one that's actually got a warning on it.

    But water hole attacks will still happen. 

    paranoid.JPG

Thwack - Symbolize TM, R, and C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.