ALL YOU NEED TO KNOW ABOUT WATERING HOLE ATTACKS
Everybody knows that malicious actors exploit the weakest link in your networks and the best defense against this sums up to safeguarding the most vulnerable entry points. But what if the weakest link in your defense lies beyond the network? You can set up impenetrable defenses for your enterprise network, but that doesn’t stop malicious actors from compromising a different target that happens to be a frequently used entry point to your network. This is precisely what a watering hole attack does. What are the watering hole attacks? A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's workplace. The term watering hole attack comes from hunting. Rather than tracking its prey over a long distance, the hunter instead determines where the prey is likely to go, most commonly to a body of water -- the watering hole -- and the hunter waits there. When the prey comes of its own will, often with its guard down, the hunter attacks. The target victim can be an individual, an organization or a group of people. The attacker profiles its targets -- typically, employees of large enterprises, human rights organizations, religious groups or government offices -- to determine the type of websites they frequent. These are often messaging boards or general interest sites popular with the intended target. While watering hole attacks are not uncommon, they pose a considerable challenge since they are difficult to detect and typically target highly secure organizations through their employees, business partners or connected vendors. And, because they may breach several layers of security, they can be extremely destructive.How does a watering hole attack work? Watering hole attacks are attacks that identify an external, trusted but vulnerable service frequently accessed by users of a given organization. Bad actors exploit these vulnerabilities to deliver a malicious payload to the organization’s network. This technique can look just like a zero-day attack, exploiting an unknown or unpublicized vulnerability. Let's put it like this: you have your own IT network that you can fully control and protect against network intrusions and exploits. Next, there’s an IT service, an app, a tool, a website or technology that is frequently used by your employees. These services may be integrated with your network or interact directly with your employees, accessing data and communicating a variety of legitimate traffic requests. These services are controlled by a third party, which of course are vulnerable to cyberattacks. By exploiting the vulnerabilities, these third-party services can act as a “watering hole” to deliver a malicious payload to your organization.
Stages in watering hole attacks The watering hole attack includes the following stages:![]()
Intelligence gathering Watering hole attackers begin by identifying a target and gathering intelligence on their web browsing habits. This might be frequently visited public sites, websites specific to the company or industry, or even tools such as webmail and cloud storage. Threat actors use a range of tools to gather this intelligence, including search engines, social media pages, website demographic data, social engineering, spyware, and keyloggers. Analysis Once viable targets have been identified, cyberattackers then begin to analyze the list of websites for weaknesses and vulnerabilities at the domain and subdomain levels. Also, they are looking into 3rd party websites, in a supply chain attack, infecting not the target website directly but for instance a 3rd party ad server. Attack preparation Web-borne exploits are used as implants inside the compromised website. Focusing on technologies such as HTML, JavaScript, images, and other vectors, cyberattackers aim to compromise browsers used by the target. Sophisticated attacks may even allow actors to infect visitors with specific IP addresses or other browser specific settings, such as user agent or language. Attack execution When the watering hole is ready to launch the attack on the target network of the organization, the malware payload is delivered first from the compromised service to the user and then to the IT network of the organization. At this stage, the malware may propagate and gain more intel into network behavior as any APT attack. Many organizations build multiple layers of security around their IT networks. The deceptive nature of watering hole attacks, however, make clever use of recent trends in the enterprise IT landscape — like Bring Your Own Device (BYOD) and remote working models. Also, most organizations have a laxed policy regarding movable devices such as laptops, smart phones or tablets.
- Gathering intelligence
- Analyzing the intel
- Preparing the attack
- Executing the attack
Examples of Watering Hole Attacks in Current Events Over the past decade, there has been a raft of watering hole attacks, with many targeting high-profile organizations that have supposedly implemented top-of-the-line cybersecurity protection. This means that any type of organization can be vulnerable to these attacks, which are called Advanced Persistent Threats (APTs). Here are some concrete examples of high-profile watering hole attacks:![]()
- 2012 – American Council on Foreign Relations
Through an Internet Explorer exploit, cyberattackers infected the CFR. Watering hole phishing targeted those browsers only using certain languages that could be exploited.- 2016 – Polish Financial Authority
Targeting over 31 countries, including Poland, the United States, and Mexico, researchers discovered an exploit kit that had been embedded in the Polish Financial Authority's web server.- 2019 – Holy Water
By embedding a malicious Adobe Flash pop-up that triggered a download attack, dozens of religious, charity, and volunteer websites were infected.- 2020 – SolarWinds
IT company SolarWinds was the target of a far-reaching watering hole attack that ran for a long time. After months of cyber intelligence work, it was uncovered that state-sponsored agents were using watering hole to spy on cybersecurity companies, the Treasury Department, Homeland Security, and more.- 2021 – Hong Kong
Google's Threat Analysis Group identified numerous watering hole attacks focusing on users who visited media and pro-democracy websites in Hong Kong. Once successful, the malware would go on to install a backdoor on individuals using Apple devices.- 2021 - Operation AppleJeus
A prolific North Korean state-sponsored hacking group has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry.- 2022 - North Korean actors
Google's Threat Analysis Group (TAG) disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. The campaigns have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks aimed at security researchers last year.- 2022 - Romanian Public Institution
Cybersecurity experts at Dekeneas have discovered a sophisticated watering hole attack implanted into a Romanian public institution website.- 2023 - Fata Morgana
Cybersecurity experts at ClearSky have discovered a sophisticated watering hole attack targeting multiple Israeli websites. How can DEKENEAS BROWSER ATTACK DETECTOR help you? DEKENEAS uses artificial intelligence to understand the contents of a web page looking for signs and behaviour of malicious activities. Such malicious activities could be the use of encryption or certain coding patterns that are highly specific to malware. Techniques such as symbolic execution or "Code Logic Emulator (CLE)" allow a better understanding of what the code does, before deciding to further analyze the code with "Smart Dynamic Analysis". The "Smart Dynamic Analysis" technology is much more intense and time consuming, therefore it is only used to confirm wether certain elements within the website are actually malicious or not.
If a certain element within the website shows signs of malicious behaviour our "Requirements Extractor (RX)" technology tries to determine wether that element needs certain conditions to run, such as specific user agents, IP addresses or language settings. If the "Requirements Extractor (RX)" technology identifies certain requirements that the element needs in order to run, then the "Smart Dynamic Analysis (SDA)" technology starts to dynamically analyze that element in the specific enviornment requested. For instance, if "Requirements Extractor (RX)" technology identifies a suspicious Javascript that has conditions for a specific iOS mobile browser user agent and specific language settings, the "Smart Dynamic Analysis (SDA)" will analyze the suspicious Javascript in an iOS environment, with the requested browser and that specific language settings.![]()
This behavior greatly reduces the analysis time, as only suspicious HTML elements will be analyzed, in the same time maximizing the accuracy of detection, by creating the specific environment requested by the website code.
The network traffic resulted from the interaction with the malicious HTML element is recorded and analyzed with "Network Attack Detector (NAD)" technology which identifies attack signs inside network traffic.
These unique features allowed DEKENEAS to uncover a series of complex attacks carried by APT groups, but also carried by cybercriminals, all of them using either very new or unknown exploitation vectors.
CONTACT US
office@dekeneas.com @dekeneas @dekeneas
FREQUENTLY ASKED QUESTIONS
Q: Who is at risk of getting attacked through browser exploits?
A: Considering that browsers are part of our day to day activities, being for work or pleasure, anyone can be targeted with a browser exploit. However, if you work in a sensitive environment, and your job requires you to have access to sensitive organizational resources, the risk of being attacked with a browser exploit increases significantly. But browser exploits are not the only browser attacks..
Q: How could a browser exploit affect my work place?
A: Organizational network defenses have become increasingly performant in the past years, with organizations investing allocating increased budgets to cybersecurity, therefore making it harder for attackers to directly attack organization's network perimeter. But at the same time, organizations tend to not address the insider threat with the same type of resilience. Therefore if you use your smartphone, laptop or tablet to access organizational resources attackers gain a foothold inside the network.
Q: What other browser attacks are outhere, except device compromises through exploits?
A: While browser exploits are the most dangerous type of browser attack, there are also cryptojacking attacks and data skimming attacks. Cryptojacking attacks use your device to mine for cryptocurrencies consuming your CPU cycles for the benefit of the attackers. Data skimming attacks are usually placed in online shops or other type of websites which require the user to enter banking or credit card informations. They are totally invisible to the end user and any security product he may use and they collect these informations to be sent to the attackers. Cyber criminal groups such as Magecart are getting the spotlight in the past years but these types of attacks have been going for at least a decade and they continue to affect hundreds of thousands of websites around the world.
Q: My antivirus is updated to the latest. Am I still vulnerable?
A: Unfortunately yes. Antivirus products use signatures to detect attacks. If a signatures has not been previously generated, the attack goes unnoticed to the antivirus product.
Q: I have the latest next-generation detection and response endpoint protection. Am I still vulnerable?
A: Unfortunately yes. Even the most performant XDR endpoint protection uses some type of signature scanning corroborated with behavioral analysis and even artificial intelligence (AI). However, they cannot be installed on smart phones, tablets or IoT devices. And even for traditional systems, such as desktops or laptops they fail to accurately identify attacks, mostly because browsers are very difficult to inspect and instrument and because these attacks are specifically crafted to look like normal user activities.
Q: I only browse behind my corporate network. Am I still vulnerable?
A: Unfortunately yes. Network defense systems are unable to properly inspect HTTP/S traffic, even if they are able to decrypt the encrypted communication. Dynamic HTML code, such as Javascript, makes it impossible to an intermediate product to know how the final code will be rendered inside user's browser, therefore they are unable to guess wether an attack is happening or not. This is how big banks and corporations have been compromised in the past.
Q: I use a different web malware scanner. Isn't that enough?
A: Unfortunately no. All the commercially available web malware scanners use signature scanning to detect attacks against browsers. While this approach is sufficient to detect known attacks, they have no way of detecting unknown attacks. Most web malware today is crafted in such way that it looks different for every infection, even inside the same website. Also, most of the commercially available web malware scanners only scan the first page of the website, while in reality the attack can be hidden deeper inside the website.
Q: Ok, and how does DEKENEAS does it then?
A: We have an artificial intelligence (AI) algorithm trained to recognize features that might serve a malicious purpose. And we do not consider these features separately, our AI tries to understand how these features could be used in conjunction to serve a malicious purpose. This approach allows us to select only those HTML elements, such as scripts or iframes, that have a high risk of being used for malicious purposes. After this filtering, we launch each suspicious element inside a dynamic analysis environment which mimicks in the slightiest detail the behaviour of a legitimate user, in order to bypass any anti analysis or instrumentation environment detection techniques the malware might use. We record these interactions and also we record all the traffic exchanged between our dynamic analysis environment and the suspicious HTML element. The recorded traffic is analyzed by another AI algorithm in order to determine wether there are any signs of attacks inside the traffic. If there were no interactions during the dynamic analysis and there were no signs of attack inside the network traffic recorded, we still consider the element suspicious, needing manual analysis by one of our specialists.
Q: So every suspicious script is possibly an attack?
A: Sometimes, yes. Some other times, no. There could be an attack that evaded our dynamic analysis environment, and it needs further inspection, but also, sometimes, not very often, legitimate HTML elements use the same techniques as malware and we detect that. But it's better to be safe than sorry.
Q: I started my scan a few hours ago and it still did not finish. Is there something wrong?
A: Normal websites have thousands of pages, each of these pages containing tenths or hundreds of HTML elements that need to be analyzed. Even though our AI is doing a fantastic job at eliminating benign looking elements, there are still tenths or hundreds of these elements that need to be passed to our dynamic analysis environment. This is the most consuming part of the process, as we try to mimick in the slightiest detail the behavior of a normal user. So, especially at the first iteration, a scan could last for a few hours, depending on the number of suspicious HTML elements found.
DEKENEAS
DEKENEAS is a unique product, being the only publicly available tool able to identify with great accuracy both known and unknown browser exploits ("0day") and attacks by the means of artificial intelligence algorithms, instead of traditional signature scanning. Our approach is mainly focused on detection of unknown attack vectors for the vast majority of existing desktop browsers, such as Chrome, Edge, Firefox or Safari, but also mobile devices browsers for Android and iPhone. Our artificial intelligence algorithms understand the code of the website before actually executing it, and tries to understand if the code constructs encountered are malware specific or they are benign. Also it tries to figure out if there are special conditions for certain code to run, such as specific User-Agent strings, language settings or IP addresses. All this information is later used during the instrumentation performed by Dekeneas Sandbox, which comes as a double check, actually executing the suspicious code in a real environment according to the special conditions requested by the analyzed code, launching a specific browser with specific language or country settings in a specific environment (desktop or mobile), and analyzing how the code interacts with the browser. In addition to code instrumentation Dekeneas Sandbox also analyzes the traffic generated looking for exploitation gadgets, therefore maximizing the chances of identifying unknown attacks.
- Signature less scanning - browser malware looks different from infection to infection so signature scanning is mostly useless
- In-depth scanning of websites - most attacks are not placed in the first page
- Code interpretation without actually executing the code - greatly optimizing analysis time
- Detection of attacks in the early stage - as opposed to traditional methods who detect post-exploitation stage of infection
- Anti anti analysis capabilities - most browser attacks are highly obfuscated and have anti analysis capabilities
- Anti evasion capabilities - most browser attacks are able to evade detection by targetting specific browsers, technologies or settings
Dekeneas On-Premise WSG
The Dekeneas WSG range is a family of secure web gateway appliances, integrating the advanced artificial intelligence malware scanning capabilities of the DEKENEAS into your network, protecting your users from some of the most elusive attacks used by hackers.
WSG-010
Virtual Appliance
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on DEKENEAS
- Integrated DEKENEAS engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
WSG-100
Hardware Appliance
![]()
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on DEKENEAS
- Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
- Inline sandbox
- Bandwidth management
- Integrated DEKENEAS engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Automated YARA scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Data leakage prevention through artificial intelligence classification
WSG-200
Hardware Appliance
![]()
- High availability setup
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on DEKENEAS
- Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
- Inline sandbox
- Bandwidth management
- Integrated DEKENEAS engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Automated YARA scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Data leakage prevention through artificial intelligence classification