Akamai Diversity

The Akamai Blog

Defending Against Watering-Hole Attacks

A researcher at Cisco Systems published a blog post yesterday that Akamai customers and the larger security community should be aware of. The subject: "watering-hole" attacks.

It's something Cisco researchers -- and Akamai's CSIRT team -- have been tracking for some time. In May, Threat Research Engineer Jaeson Schultz wrote about the increasing popularity of the attack technique

He wrote at the time, "Watering-hole attacks, as evidenced by the recent attack involving the U.S. Department of Labor, are becoming increasingly popular as alternatives to attacks such as Spear Phishing. In a Watering Hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the 'trusted' site (A.K.A. the 'Watering Hole') and becomes compromised."

Threat researcher Emmanuel Tacheau's post from yesterday provides updated data on who these attacks are targeting and the methods used.

Beginning in May, he wrote, Cisco TRAC started to see several malicious redirects targeting the Energy & Oil sector. The structure, he said, consisted of several compromised domains, of which some play the role of redirector and others the role of malware host. Watering-hole style domains infected with the malicious iframe included:

  • An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
  • A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;
  • A natural gas power station in the UK;
  • A gas distributor located in France;
  • An industrial supplier to the energy, nuclear and aerospace industries; and
  • Various investment and capital firms that specialize in the energy sector.

"Encounters with the iframe injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches," he wrote. "This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets, vs. spear phishing or other means to entice the intended targets through illicit means."

Akamai CSIRT Director Michael Smith said that in watering-hole attacks, the bad guys attack one's website to use it as a platform to attack the browser. 

"The interesting thing with energy-sector websites is that they usually service a particular geography, say the NE United States or France," he said. "Energy sector websites also sometimes are supplier portals for a particular vertical such as gas companies."

Since Akamai deals with the server side of the watering hole equation, we have a set of recommendations for our customers:

  • Use our Web Application Firewall with cross-site scripting (XSS), command injection, and SQL injection rules in deny mode.
  • Protect access to your Content Management System as a high-criticality system.
  • Restrict access to content and CMS to specific geographies.
  • Look at third-party content (such as advertising services) and have a plan to disable that content if the provider becomes compromised.
  • Secure your DNS registration and name servers to keep attackers from redirecting the entire domain to an arbitrary location.