Beware the “waterholing” hack

Sometimes cyber risks come on the rebound. One such example is the “waterholing attack,” aimed at the users of a host’s pages, and not the host itself.

In April the Federal Reserve Bank of St. Louis suffered a cyber intrusion that attacked not the bank itself, but users of its publically available data and analysis tools. Due to the nature of the intrusion, some analysts believe it was a waterholing attack.

In a May 18 statement, the Fed district bank said someone manipulated routing settings at a domain name service vendor used by the bank. The hackers were able to automatically redirect web traffic to rogue webpages that looked like four legitimate pages. These were for the pages of FRED, FRASER, GeoFRED, and ALFRED. These sites provide data commonly used by economists employed by private companies, including banks, as well as other government entities. 

In its statement, the St. Louis Fed said that “users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware, and access to user names and passwords.”

This description closely matches what a waterholing attack constitutes, said Gavin Reid, vice-president for threat intelligence, Lancope, to Banking Exchange in an interview.

Of course, he said, there is no guarantee that this is what happened, “but it fits the pattern.”

How water holing plays out

While such attacks haven’t happened often, they have been around for a while. Some credit discovery of the trend to RSA Security, in 2012. 

In November 2014, a Chinese attack group allegedly infected Forbes.com. According to reports it exploited two since-patched vulnerabilities in Internet Explorer and Adobe Flash Player. The malware infection entered through the site’s popular “Thought of the Day” widget and was activated simply by the user clicking on “Continue.”

According to iSight Partners, a cyber security firm, the attack wasn’t aimed at Forbes but at the typical demographic of people who tend to go to the site—senior executives, managers, and other professionals working for major corporations.

Like the St. Louis Fed attack, the goal of the hackers was to infiltrate the sites or systems of these other users and steal sensitive information, proprietary content, or even more access credentials.

A brief internet search unveiled a couple of other watering hole attacks that have been reported. These include, in 2013, the Department of Labor, and in 2014, North Korea’s official national news service.

Prevention and protection

Speaking about the St. Louis Fed hack, Reid noted that the attack came through a third-party vendor that managed the domain name service—and the need to impose protections.

“When you talk generally about third-party reliance, that’s a pretty broad topic. Specifically about DNS, yes, you can absolutely lock down your DNS records such that no one can change them unless it’s someone who is very specific to the organization, and they have to go through a number of steps. There is some DNS security you can enable to lock it in place.”

In the absence of a company taking such steps, says Reid, it is basically one guessed password and username away from someone turning a site to bad uses.