The expanding landscape of exploit kits

As exploit kits evolve, so too do their impact on business operations and security

Angler, Magnitude, and Nuclear are a few of the most commonly used exploit kits criminals are using to deliver a variety of payloads from botnets to ransomware. Exploit kits are really just a means for malicious actors to get in the door. Once their payloads are installed, the payload is unique to the criminal, and the payload delivered has a profound impact on business operations.

The prevalence of exploit kits and the techniques favored by attackers changes quite often. Only a few years ago, Black Hole was the most popular exploit kit until its author, Dmitry “Paunch” Fedotov was arrested. In the years that followed his arrest, the use of Black Hole declined. Despite "Paunch" being sentenced to seven years in prison last month, exploit kit authors remain undeterred and vigilant in their derivatives.

Carl Leonard, principal security analyst at ForcePoint, said that Angler has become popular with malware authors over the past few months. “It’s updated rapidly with exploit code that is new. Many security vendors don’t know about it and don’t have the facility to protect against it,” said Leonard.

“Malware authors try to obfuscate the code. Very advanced malware authors would use protocol level manipulation as payload to send fragments of the exploits through to the end user so that the firewall doesn’t appreciate that this is an exploit,” Leonard said.

Where exploit kits have required a person going to a website and getting compromised, criminals are now going one step further.

“Three or four weeks ago, we detected a threat called Samsam being installed from a network vulnerability. The Samsam actors thought of combining network-based vulnerabilities with ransomware, which opens the door for more targeted attacks using a ransomware spring like a network-based worm,” said Craig Williams, security outreach manager, Cisco Talos.

“If you have systems and files being encrypted or file share becomes encrypted, that’s a huge impact. Dozens of hospitals have been attacked recently, and for some it has taken them days to recover. That means massive down time, rescheduling major surgeries. It’s literally putting lives at risk,” Williams said.

Through their networks in the dark web, nefarious actors are informed that new exploits are seen in the wild, making them aware of even zero-day vulnerabilities before the general public. Leonard said, “Under responsible disclosure, a researcher will identify the use of a brand new exploit script to a vendor. The vendor then releases a patch that can be applied to the business.”

Businesses, though, struggle to apply those patches expeditiously. The level of sophistication and the relative ease with which criminals can access exploit kits compromises business operations and has security teams on overdrive trying to expedite the patching process.

Keeping all patches up to date is key for business continuity as down time is the single greatest impact on business operations.

“You have to take the system completely out of operations and rebuild it and make sure all of the sub systems don’t have similar infections,” said Todd Feinman, CEO at Identify Finder.

Joey Peloquin, senior manager of threat intelligence and vulnerability management at Citrix, said that beyond down time exploit kits pose another threat to the enterprise: gathering credentials.

“It’s arguably a larger threat. If they are able to log keystrokes for domain credentials, they can potentially login and take advantage of rights and privileges in the environment. This could result in data exfiltration and leave the enterprise open to virtually every threat at that point,” Peloquin said.

“The best thing the industry can do is not write software that has vulnerabilities, but we know that’s not going to happen,” said Leonard.

Williams agreed. “Software itself has to be built with security in mind,” he said. “One thing to keep in mind is that these guys are really, really good at implementing new vulnerabilities."

Andrew Wertkin, CTO, BlueCat

As is often the case with solutions to security threats, there is no silver bullet. “Multiple strategies are necessary,” said Andrew Wertkin, CTO, BlueCat.

“There is traditional end point management, leveraging well known vulnerabilities that could have patches, and keeping protections up to date,” Wertkin continued.

Because enterprises are dealing with an expanding network and many more devices that might not have end point protection, “They need to be making sure any of the well know vulnerabilities that they use are patched,” Wertkin said. In addition, there are many other layers that need to be used.

Wertkin said, “DNS is used by exploit kits themselves or payloads to look for that suspicious behavior. There have been variances created and they often have similar patterns.” Wertkin also recommended, “Go to sites to see what the Internet gateway IP address is.”

While there are a variety of solutions in IT security, “In a world where we are only blocking what we know to be bad, we aren’t protecting ourselves. Enterprises need an appropriate security architecture where they can have a suspect-based and behavior-based analysis,” Wertkin said.

Attackers, though, are highly motivated. Most often they have a specific objective, said Ravi Devireddy, co-founder and CTO at E8 Security. Given that these attacks are not always random, Devireddy said, “The tools, techniques and procedures would be adapted and specific to the organization. It’s customized for that company.”

Criminals know that applying software patches can be intrusive and that not everyone is keeping their patches up to date, said Devireddy. “It’s a time consuming process. Increasingly we are seeing automation, but it does take time. The server side patch requires a reboot, and there is a business impact to that,” he continued.

Malicious actors then use social engineering tactics in a campaign sent to end users who often unknowingly click on a fraudulent link. “Security awareness training is a critical part of security. Criminals can easily identify staff and employees and know who is working where. They have a very specific and very effective campaign targeting people,” Devireddy said.

Other updated detection methods include testing sites from a client perspective, said Feinman. “If you examine from the client side, you are testing from the outside in. You would see some of this activity, some indicators of compromise.”

There are sandboxing techniques and solutions that would allow you to do the tests in real time, said Feinman. “Once you have a known identifier, those systems can be configured and quarantined. The tests can run in a live environment, but not one that can get out and infect other systems.”

Unfortunately, security practitioners are challenged by the fact that some exploit kits do check to see if they are running in a virtual environment. “Exploit kits don’t spread and pray,” said Peloquin.

“When a contact is made, that user is dropped off at a gate, and there is security profiling happening at that gate. If it detects a sandbox, it won’t execute a payload, so it can turn into a game of whack-a-mole,” Peloquin said.

Enterprises can benefit from threat intelligence, though. “If we have partners sharing threat intelligence, we can get ahead of the threat and block and manage,” said Peloquin.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoCitrixCSOGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place