Guest Written By: Cherif Sleiman, Vice President, Europe, Middle East and Africa at Infoblox
For several months now, there has been an exponential increase in the use of exploit kits to execute cyber-attacks. Even household names are not immune from this threat as the exploits available have ratcheted up in power and sophistication. Perhaps most famously, the Daily Mail’s hugely popular “Mail Online” site fell victim to a “malvertising” campaign that exposed millions of its readers to CryptoWall ransomware. This successful attack is believed to have its roots in an exploit kit.
The key to the growing popularity of exploit kits as the basis for cyber-attacks lies in the relative ease of use for cybercriminals by significantly reducing the level of technical knowledge required to deliver malware and other threats. This increases the pool of potential attackers, a fact made more significant when we consider that some exploit kits have been built quite deliberately with a user-friendly interface to make it even easier to manage and monitor malware and other attacks.
Exploit kits have previously acted as a vehicle for many different forms of malware, from malvertising or click-fraud attacks, through to ransomware or malware targeting users’ online banking portals. With the relatively newfound ease of delivering an attack via an exploit kit, it is perhaps unsurprising that they have quickly become the de facto method for some cybercriminals without the technical skills or inclination to script attacks of their own creation.
Unboxing an exploit kit
Typically, the infrastructure components of an exploit kit are threefold. First, the back end which is made up of the control panel and payloads. Then there’s the middle layer, housing the exploit itself and a tool which is effectively a “drill” designed to tunnel into the victim’s back end server. Finally, the remaining ingredient is the proxy layer, which executes the exploit on the organization’s server.
As well as being made up of similar components, there is usually no great variation in the process by which an exploit kit delivers its payload:
- The user visits a website which is either under full or partial control of the attacker
- The user’s traffic is redirected through various intermediary servers
- The user then lands on the server hosting the exploit kit
- Next, the exploit kit attempts an install by seeking out and attacking vulnerabilities on the victim’s server
- If installation is successful, the attack’s malicious payload can then be delivered.
Although most exploit kits share broadly similar methodologies, differences start to creep in when we look at the types of vulnerabilities they seek to exploit, as well as the tactics used to navigate around an organization’s defenses.
Mobile: a moving target
Where once exploit kits were predominantly used to target desktop machines, the growing number of mobile devices in the world combined with an ever-expanding list of use cases, from email to mobile banking, mean that cybercriminals are increasingly switching their attention to mobile as a platform. Combine the ubiquity of mobile devices with low levels of security knowledge of most users, and mobile starts to look like a much softer target. As such, it’s not unreasonable to expect attackers to shift towards using web pages to deliver malware via a mobile browser, which is essentially the same approach as that used to deliver malware to desktop-based end points.
Once delivered successfully, the malicious cargo can now operate behind the firewall. From here, the malware can also spread to other devices on the network and connect with a command-and-control (C&C) server. Making this connection enables it to either exfiltrate data and/or download even more malicious software. This communication often requires the use of the target’s Domain Name Server (DNS), which is a good reminder of the importance of securing DNS.
Know your enemy
Some exploits are more common than others. Here’s a quick run-down of the exploit kits that should be on your radar.
- RIG (variants include RIG-V, Empire Pack): RIG is currently the most active of the for-hire exploit kits. Most of the major actors transitioned to RIG after the Nuclear and Angler exploit kits shut down in mid-2016 and Neutrino went private in late 2016. RIG frequently uses randomly generated domains in the .top TLD and points to IP addresses at Russian hosting services. There are three major variants: RIG ‘classic’, Rig-V, and the Empire Pack.
- Astrum, aka Stegano: First detected in 2014, Astrum was recently discovered using innovative steganographic techniques to hide attack code in the alpha-channel of images. This approach is used to sneak malicious code into advertising networks/malvertising, which results in high-profile websites exposing visitors to malicious code.
- Sundown: More notable for stealing from other exploit kits than developing its own unique attacks, Sundown does have one innovation not seen with other kits: the acquisition of domains registered by innocent parties that are near expiration. Because the domains have generally been parked or used for banner-farming before being acquired by the exploit kit operators, the domains used by Sundown generally have a history of legitimate use and will not be reliably blocked by reputation-based systems.
- Neutrino: Neutrino briefly became the preferred for-hire exploit kit after the Angler shutdown. Then it went private, ceasing to perform exploitation-as-a-service. This resulted in a general transition to RIG. Neutrino is still active, but at a greatly reduced level.
Defensive tactics: A standard approach won’t work
Defending against exploit kits is challenging. In addition to the administrative issues inherent in managing software updates in a large enterprise, new vulnerabilities are discovered frequently, and new exploits are constantly being developed to take advantage of those vulnerabilities. There are two common approaches to defending against exploit kits that many companies employ today:
- Intrusion prevention/detection systems (IPS/IDS), which use signatures to scan network traffic for known attack code, are the most popular approach. However, the effectiveness of this approach is dependent on having a set of current signatures that will reliably identify and block attacks, without interfering with legitimate network traffic. The constant development of new exploits reduces the effectiveness of signature-based defenses, which rely on recognizing the exploit code used to exploit the system.
- Blacklisting malicious domains to block traffic to them is almost totally ineffective, as the domains used to serve attack payloads are deployed and discarded over a very short timeframe (often less than an hour), while block lists typically are updated every 24 hours. The exploit kit operators frequently hack websites to add hidden links to the exploit kits, or sneak malicious links into advertising networks, so even high-profile websites maintained by a team of professional full-time webmasters can be dangerous.
More effective together: A multi-layered strategy
As the sophistication of exploit kits has increased, it’s gotten to the point that no one defense is effective on its own. Multiple layers are required for adequate protection that includes protected endpoints and an IPS/IDS with current signatures to identify and block known attack code. Importantly, this should be backstopped by an IP Policy RPZ containing the IP addresses of known attack servers, to block any DNS lookups that resolve to the hostile IP address, regardless of the specific hostname being looked up. (An RPZ, or “response policy zone,” is a file that contains information about malicious IP addresses, and instructs the DNS server how to treat requests according to policies set by the administrator.) Targeting IP addresses versus domains is more effective, as they typically are active for hours or days – versus minutes – before disappearing.