Watering hole computer attack strategies resurface

Read time 4min 10sec

A hacking technique - watering hole attacks - has resurfaced for the first time since 2015/16. Morphisec's CTO and malware prevention expert, Michael Gorelik, says it's back and more sophisticated than before, and will be the big thing in 2018.

In March, Morphisec Labs researchers began investigating the compromised Web site of a leading Hong Kong Telecommunications company after being alerted to it by malware hunter called @PhysicalDrive0. The investigation revealed that the Telecom group's corporate site had been hacked, and threat actors added an embedded Adobe Flash file that exploits the Flash vulnerability CVE-2018-4878 on the main home.php page.

Gorelik says watering hole attacks are back, and more sophisticated than ever before, predicting that they will become a major threat this year. This recent attack, he says, is a textbook case of a watering hole attack, in which hackers plant malware on Web sites that their intended victims are likely to visit.

Often, he says the aim is cyber espionage. This recent attack displayed advanced evasive characteristics, and was purely fileless, without persistence or any trace on the disk, and used custom protocol on a non-filtered port.

"Generally, this advanced type of watering hole attack is highly targeted in nature and suggests that sophisticated threat actors are behind it. It is the latest in a huge number of attacks that utilise CVE-2018-4878 - from nation sponsored attacks to malspam campaigns to exploit kits."

Purpose built

Gorelik says watering hole attacks have existed for long time, and although rare, they are used mostly by advanced groups and many times by nation sponsored groups. Moreover, he says these types of attacks are highly evasive and are purpose-built to reduce the risk of detection before the targeted person or group has been compromised.

"Almost every computer has flash installed. The re-appearance of a new exploit that can reach anyone, that can be utilised in so many ways - drive-by, document exploitation - is a highly lucrative tool for hackers that can be used in day-zero, or up to weeks after the patch is deployed. The patch cycle in most enterprises is at least six weeks," he adds.

In addition, he says this exploit demonstrates how easy it is to bypass all adobe mitigation techniques, including the same mitigation that allegedly minimised the Flash exploitation two years ago. "We believe that nation-sponsored groups possess additional Flash zero-day exploits."

Fresh exploits

Watering hole attacks often employ fresh exploits to remain undetected - either zero-days or one-day exploits, he says, adding that he believes that as soon as new exploit proof of concepts reappear, we will likely see an increase.

"We will see this exploit as part of an attacker's main arsenal for most of the existing exploit kits. In addition, we can expect a dramatic rise in malspams using the same exploit, and this will be relevant for at least the next two years - until a new exploit reemerges, or most of the machines are patched."

A successful exploitation of this vulnerability will give the attacker full control of the machine. "From there, the attacker could decide to exfiltrate critical information from the targeted machine, or extort the victim by encrypting their files. He could even move laterally across the organisation to target enterprise servers."

Counter deception

To defend against this type of attack, he says patching is critically important, but not very feasible in a short time considering the processes involved.

"Moreover, if the exploit is still a zero-day, even patching doesn't solve your problem, and white-listing has limited effectiveness."

Gorelik says uninstalling Adobe Flash, although likely an improbability operationally, can reduce and prevent this specific vulnerability. "Although, it will not prevent non-Flash related vulnerabilities, which is an enormous consideration."

He says users must look to adapt innovative approaches that bring in the element of unpredictability, leveraging an advantage of being dynamic, and actually moving, rather than remaining static, which just makes a user easy to target.

Moving target defence (MTD) is an effective way to combat constantly changing attackers' tactics, and give companies a better approach to preventing zero-days, as it uses counter-deception techniques that constantly change the target surface, so that attackers can't get a foothold.

"Morphisec applied MTD on the process memory, and prevented this exploit even when it was zero-day," he concludes.

See also