July 20, 2012, Mr. Will Gragido, a speaker of RSA Security LLC, an American computer and network security company, coined the term “Watering Hole”. The technique was first observed in the year 2009 with breach of the security system of some civil society organizations. Cybercriminals found a sophisticated alternative of Spear Phishing Attack in form of watering hole attacks. Wikipedia explains the technique here.
Early months of the year 2013 were terrifying as lots of big companies became the victim of this hard to detect security penetration technique. Few names were Facebook, Apple, Twitter, Microsoft, New York Times, and more. Such major attacks continue in the year 2014. In 2015, Forbes.com became a prey of watering hole attack. Now, in the ending months of 2016, and early months of 2017 (i.e. this month, Feb 2017), news of security breach of world’s major banks are coming from popular sites such as helpnetsecurity.com and scmagazine.com.
The face of this killer strategy is going to be more fierce this year. According to RSA’s white paper cybercrime trends 2015, mobile provides a larger attack surface. In 2017, there would be 2.5 billion smartphone users worldwide. And there are millions of mobile application available to download and use (most of them are free). Hacking mobile applications is very easy and watering hole works for sure. A deadly combination.
The cyber criminals know that the enterprise mobile apps are their first prey to steal data of large companies and banks. Enterprise mobile apps are mainly focused on enhancing the productivity, saving time, cost cutting, and financial management. And there are hundreds of mobile apps to support each objective. If we look on top enterprise mobile apps and their security breach history (such as Google hangout, Skype, Slack, Box, Dropbox, Evernote, etc.) then we can easily understand how risky it is for any business to let their employees use mobile apps.
The main problem with watering hole attack is that they are very hard to find and very hard to prevent. And one the reason for this is the technical build of the mobile applications. Most of the mobile application use OAuth, which makes them vulnerable. Ronghai Yang explained this vulnerability in his research report “how to sign into one billion mobile app accounts effortlessly”, and the remedies he suggested are no solid immune against attackers. Mr. Kelvin Boon, CEO of Boon Info Tech, throw some good light on preventive measures that should be taken by mobile application developers against any watering hole attack.
The smartphones are full of mobile applications. The large enterprises have thousands of employees using the same smartphone for mixed use of their personal needs as well as their official use. In this scenario, breaching the security of such large company become very easy for attackers. All they need to do is ‘poison’ any of the mobile application installed in the smartphone of the employees. And once the attacker penetrates the mobile phone then it becomes easy to steal the data (with the help of Remote Access Trojan (RAT)) stored by the applications used for official work.
Safeguard against watering hole attacks is not only the duty of mobile application developers. Enterprises and the employees using mobile applications for their work must understand the risk and take prevention measures seriously. Here are few such preventive measures which aware enterprises take for the safeguard of their valuable data–
- Security Policies – The security policies must include the protocols for the use of mobile applications and smartphones when it comes to making official data secure. The protocols must clearly define every process, decision, and how each employee operates. The data must be protected with multi-layer security.
- Employee Training – It is also important that each employee understands the risk and know more than basics to prevent data against cyber attacks. Ongoing user training plays an important preventative role in the defense in depth strategy to deal with cyber attacks.
- Restricted access of data via smartphones – The use of mobile applications for official work must have some restrictions and only less vulnerable data should be given in the access of these enterprise mobile applications.
- Use of Anti-virus software for smartphones – Obviously, smartphones must have multi-level of the security system as they are no different from regular computers when it comes to the protection of valuable data.
- Proactive Monitoring – The enterprises should have a cyber squad (similar to bomb squad) which must keep an eagle’s eye on employees activities. Based on regular behavioral analysis of employees, enterprises must conduct proactive monitoring against any suspicious activity or unknown application. The regular monitoring helps to find probable watering hole prey spots and seal them before any penetration occur.
- Regular security update and patching – Regular up-gradation of application versions, browser versions, and patching is another continuous job which must be considered by enterprises.
It is true that watering hole attacks are almost always successful but their success rate is high just because generally businesses and enterprises don’t take enough preventive measure that can restrict cyber attacks up to a good level. According to RSA’s report “The VOHO Campaign: An in-depth Analysis”, Internet Service Providers (ISP) and Corporates are top targets of the watering hole attacks. Next to them are financial and healthcare institutions. The safeguards against watering hole attacks are simple and easy, but if they are ignored then the loss could be very serious. The need of adopting tight security system in the 2017 year is even bigger as the use of mobile applications for business purpose will continue to grow this year as well.