In case you haven’t heard, a new attack vector is a “watering hole” attack. In the real world, you might think of a watering hole attack as one in which a lion waits nearby for other animals to visit a pond for a drink. As a technical attack, it’s not much different. The attacker sets traps on sites that are frequented by individuals/organizations. Once the victim visits the site, the attack is launched.
As an example, some Apple employees were hacked after visiting a developer web site that exploited a vulnerability in the Java browser plug-in, installing malware on their Mac computers. Watering hole attackers can use various techniques to trap their victims. One such technique is designing the malware to look for multiple vulnerabilities:
if version > Java6 Update 32 or if version > Java7 Update 10, then
exploit the newest vulnerability CVE-2013-1493.
else if Java 7 (version <= Java 7 Update 10) then
else (version < Java 6 Update 32) then
Notice how the malicious applet checks for the version of JRE and then targets a specific vulnerable version. Attackers use this technique because exploits that may work for one version of vulnerable software may not be effective for another.
To prevent these types of attacks users should make sure their software up to date and keep anti-malware software current. Also, more companies are now starting to look at using secured isolated virtual machines and running a web browser in an isolated virtual environment can be used to limit the capability of the malware to spread. As with other attacks a good defense requires an in depth approach that builds in multiple layers of protection.