Watering Hole Attacks

Microsoft® Windows OS
Advisory ID:
July 23, 2023


ngCERT recently observed several cases of watering hole attacks that target groups of people who are somehow connected - whether they work for the same company, belong to the same social club, or have a common interest/background. The goal of this attack is to compromise as many of these users' devices as possible and, in some cases, gain access to their organization's network. In other words, a watering hole attack occurs when cyber criminals use skills such as hacking and social engineering to target individuals, groups, or organizations on a website they frequent. Alternatively, the attacker can direct the victim(s) to a website that they have compromised.

Description & Consequence

The threat actors behind these types of attacks will typically conduct reconnaissance on a specific group, primarily to determine which websites they visit on a regular basis. These can be discussion forums, social media platforms, blogs, or websites aimed at a specific industry or type of professional. They then either infect those sites with malware or create malicious third-party sites to lure users to the site. If users fall for it, their devices will become infected with malware, granting the threat actor unauthorised access. If the user connects to their organization's network using the compromised device, the actor may gain un-authorised access to organizational systems as well. Some of the techniques observed in this attack include: drive-by downloads, in which targets at a watering hole may download malicious content without their knowledge, consent, or action; Malvertising, in which hackers inject malicious code into advertisements at a watering hole in order to spread malware to their prey; and zero-day exploitation, in which threat actors exploit zero-day vulnerabilities in a website or browser that watering hole attackers can exploit.

Compromise may lead to theft of personally identifiable information (PII), sensitive corporate data such as intellectual property, and banking information which can be used to cause irreparable damage to the victims and/or their organizations.


To minimize or forestall chances of being affected, consider the following:

  1. Embrace cyber hygiene practices.
  2. Install a reputable anti-virus with a strong internet security component.
  3. Test your security solution regularly and monitor your Internet traffic for suspicious activity.
  4. Install security updates and update all software whenever an update is available. Also, ensure Operating System – whether desktop or mobile – is always up-to-date and patches are installed promptly.
  5. There should be clear boundaries between work and personal resources.
  6. Be wary of third-party websites; when your browser flags a website as unsecure, do not proceed. Ensure HTTPS is used at all times when browsing the web.
  7. Organisations should embrace a zero-trust approach to security.
  8. Periodic security audits such as vulnerability scans and penetration tests should be conducted, and any identified gaps covered in a timely manner.
  9. Train end-users or staff on watering hole attack mitigation strategies.
  10. Audit permissions that are given to websites.




Related Articles