Dr Malcolm Murphy, Systems Engineering Manager at network security product company Infoblox, discusses the increasing prevalence and risks posed by exploit kits, and the evolution of this IT threat.
For several months, there has been an exponential increase in the use of exploit kits to execute cyber-attacks. Even household names are not immune from this threat as the exploits available have ratcheted up in power and sophistication. Perhaps most famously, the Daily Mail’s hugely popular “Mail Online” site fell victim to a “malvertising” campaign that exposed millions of its readers to CryptoWall ransomware. This successful attack is believed to have its roots in an exploit kit.
The key to the growing popularity of exploit kits as the basis for cyber-attacks lies in the relative ease of use for cybercriminals by significantly reducing the level of technical knowledge required to deliver malware and other threats. This increases the pool of potential attackers, a fact made more significant when we consider that some exploit kits have been built quite deliberately with a user-friendly interface to make it even easier to manage and monitor malware and other attacks. Exploit kits have previously acted as a vehicle for many different forms of malware, from malvertising or click-fraud attacks, through to ransomware or malware targeting users’ online banking portals. With the relatively newfound ease of delivering an attack via an exploit kit, it is perhaps unsurprising that they have quickly become the de facto method for some cybercriminals without the technical skills or inclination to script attacks of their own creation.
Unboxing an exploit kit
Typically, the infrastructure components of an exploit kit are threefold. First, the back end which is made up of the control panel and payloads. Then there’s the middle layer, housing the exploit itself and a tool which is effectively a “drill” designed to tunnel into the victim’s back end server. Finally, the remaining ingredient is the proxy layer, which executes the exploit on the organisation’s server.
As well as being made up of similar components, there is usually no great variation in the process by which an exploit kit delivers its payload:
1) The user visits a website which is either under full or partial control of the attacker;
2) The user’s traffic is redirected through various intermediary servers;
3) The user then lands on the server hosting the exploit kit;
4) Next, the exploit kit attempts an install by seeking out and attacking vulnerabilities on the victim’s server;
5) If installation is successful, the attack’s malicious payload can then be delivered.
Although most exploit kits share broadly similar methodologies, differences start to creep in when we look at the types of vulnerabilities they seek to exploit, as well as the tactics used to navigate around an organisation’s defences.
Mobile: a moving target
Where once exploit kits were predominantly used to target desktop machines, the growing number of mobile devices in the world combined with an ever-expanding list of use cases, from email to mobile banking, mean that cybercriminals are increasingly switching their attention to mobile as a platform. Combine the ubiquity of mobile devices with low levels of security knowledge of most users, and mobile starts to look like a much softer target. As such, it’s not unreasonable to expect attackers to shift towards using web pages to deliver malware via a mobile browser, which is essentially the same approach as that used to deliver malware to desktop-based end points. Once delivered successfully, the malicious cargo can now operate behind the firewall. From here, the malware can also spread to other devices on the network and connect with a command-and-control (C&C) server. Making this connection enables it to either exfiltrate data and/or download even more malicious software. This communication often requires the use of the target’s Domain Name Server (DNS), which is a good reminder of the importance of securing DNS.
Know your enemy
Some exploits are more common than others. The Infoblox DNS Threat Index found that the Angler exploit kit accounted for 56 per cent of newly-observed exploit kit activity in the fourth quarter of 2015, while RIG accounted for 20 per cent. So what do these threats look like and why are they dangerous? Angler is one of the most sophisticated exploit kits currently used by cybercriminals. It is dangerous because of its specialised “domain shadowing” technique, which enables it to circumvent reputation-based blocking strategies and (for example) insert malicious URLs into legitimate ad networks. The effect is to redirect web traffic from infected ads to malicious domains which then infect the user’s machine with malware.
These kits are especially potent because they are often updated with zero-day vulnerabilities uncovered in popular software, like WordPress or Adobe Flash. Its habit of using sophisticated cloaking techniques to hide its tracks can make Angler especially powerful, with traditional antivirus solutions unable to detect it.
Although it’s an older design, the RIG exploit kit has recently enjoyed something of a revival in an updated form. Analysis of its activity throughout 2015 found that RIG copied the domain shadowing techniques pioneered by Angler. Researchers at Heimdal Security recently found that RIG is also being used to deliver Google SEO poisoning, a technique which compromises a search engine’s optimisation methods in order to promote malicious websites.
With their various tactics and threat levels, exploit kits are lowering the barriers to entry into cybercrime and making it accessible to a greater number of cybercriminals. To guard against this growing threat, organisations should source a reliable threat intelligence provider, and use that information to stop malware communications taking place in their own network assets, such as DNS. This is the best approach to safeguard against the evolving and increasingly prevalent threat posed by exploit kits.
