Watering hole attacks
A watering hole attack is a complex attack vector targeting specific groups of users, by infecting legitimate but
vulnerable websites which the targeted audience visits on a regular basis, then attacking that audience using either
0day or 1day vulnerabilities.
Drive-by attacks
Drive-by attacks are very similar to Watering hole attacks, the only difference being made by the targets of the
attack. While in the case of watering hole attacks specific users from specific industries or groups are targeted,
in drive-by attacks the targets are every person accessing the infected web page. Also, in watering hole attacks
the exploits used for compromise are mostly 0day or 1day, while in drive-by attacks exploits can also target older
technologies.
Cryptojacking
Cryptojacking attacks carried through web browsers inject legitimate websites pages with scripts that use visitor's
browser to mine cryptocurrencies on attackers behalf. Sometimes, also web administrators decide to monetize their
visitors through cryptojacking.
Exploit Kits
Exploit Kits are web pages serving exploits for various browser technologies, from Java, to Flash or Apache/IIS. A
successful exploit will give complete access to the attacker.
Web attacks are difficult to spot...
...especially if the attacks are carried through HTTPS. But even in the case of HTTPS traffic inspection, most security products
fail to safely identify such threats because of dynamic content of modern web sites. Also, the malware carrying web attacks
usually obfuscate their payloads a few times, making the detection impossible through static analysis and dynamic analysis of
visited web pages is very time consuming. Besides, most web malware contains code to detect dynamic analysis environments.
The real problem lies in the fact that traditional security products do not have a good view in the insights of the HTTP/S
protocol due to the discrepancies between the implementations of the protocol in various browsers and technology advances.
If in the case of spearphishing attacks the user accidentally opens an email attachment or a social media link, making it
somehow obvious when and how the attack happened, in the case of web attacks there is no such user interaction, all that a user
has to do is access a website he regularly visits.
Advanced Persistent Threat groups and cybercriminals aswell have been using web attacks for more than a decade because of
this "opacity" of HTTP protocol, this type of attacks being virtually impossible to detect from outside the browser, therefore
most current threat protection products focus on detecting the effects of the attack, instead of the attack itself. And most of
the times the effects are rarely seen, considering the use of unknown or very new exploits, or using clean IP addresses for
command and control.
The aftermath of web attacks often results in full host compromise, lateral movement, credential collection, ransomware,
cryptojacking, etc.
Do watering hole attacks actually happen?
To date, not only has big tech fallen victim to watering hole attacks, but alongside Facebook, Apple, Twitter and Microsoft
so have banks, fintech companies, defense industry contractors, intelligence operatives, activist groups, investigative
journalists and government resources all over the world.
During our forensic post-incident work, we identified that 70% of high profile data breaches have resulted from watering
hole attacks.
Dekeneas APT Hunter
Dekeneas APT Hunter is a web attack scanner using artificial intelligence to classify HTML content as clean or suspicious. A
score is given to each HTML element present in the page based on the presence of certain malicious features and high scored elements
are further analyzed in two separate instrumentation frameworks for detailed dynamic analysis, one Javascript emulator and one
fully featured sandbox.
The malicious features were extracted after analyzing roughly 40,000 malicious HTML elements and these features had been compiled
into a dataset describing a functional malicious element (e.g. page redirector, cryptojacking or exploit kit).
We splitted the 40,000 malicious elements in two, 75% of the elements have been used to train our machine learning algorithm, while
the remaining 25% were used to test the detection capabilities of the algorithm. Dekeneas APT Hunter identified all malicious samples.
Scanning the TOP1000 ALEXA we identified a false positive rate of 0,00024% mostly due to the fact that legitimate code makes use of
malicious behavior in legitimate ways. However, the false positive rate is eliminated through dynamic code instrumentation, but due
to the specifics of web attacks Dekeneas APT Hunter still marks the HTML elements as suspicious.
