The expanding landscape of exploit kits
- 02 May, 2016 21:51
Angler, Magnitude, and Nuclear are a few of the most commonly used exploit kits criminals are using to deliver a variety of payloads from botnets to ransomware. Exploit kits are really just a means for malicious actors to get in the door. Once their payloads are installed, the payload is unique to the criminal, and the payload delivered has a profound impact on business operations.
The prevalence of exploit kits and the techniques favored by attackers changes quite often. Only a few years ago, Black Hole was the most popular exploit kit until its author, Dmitry “Paunch” Fedotov was arrested. In the years that followed his arrest, the use of Black Hole declined. Despite "Paunch" being sentenced to seven years in prison last month, exploit kit authors remain undeterred and vigilant in their derivatives.
Carl Leonard, principal security analyst at ForcePoint, said that Angler has become popular with malware authors over the past few months. “It’s updated rapidly with exploit code that is new. Many security vendors don’t know about it and don’t have the facility to protect against it,” said Leonard.
“Malware authors try to obfuscate the code. Very advanced malware authors would use protocol level manipulation as payload to send fragments of the exploits through to the end user so that the firewall doesn’t appreciate that this is an exploit,” Leonard said.
Where exploit kits have required a person going to a website and getting compromised, criminals are now going one step further.
“Three or four weeks ago, we detected a threat called Samsam being installed from a network vulnerability. The Samsam actors thought of combining network-based vulnerabilities with ransomware, which opens the door for more targeted attacks using a ransomware spring like a network-based worm,” said Craig Williams, security outreach manager, Cisco Talos.
“If you have systems and files being encrypted or file share becomes encrypted, that’s a huge impact. Dozens of hospitals have been attacked recently, and for some it has taken them days to recover. That means massive down time, rescheduling major surgeries. It’s literally putting lives at risk,” Williams said.
Through their networks in the dark web, nefarious actors are informed that new exploits are seen in the wild, making them aware of even zero-day vulnerabilities before the general public. Leonard said, “Under responsible disclosure, a researcher will identify the use of a brand new exploit script to a vendor. The vendor then releases a patch that can be applied to the business.”
Businesses, though, struggle to apply those patches expeditiously. The level of sophistication and the relative ease with which criminals can access exploit kits compromises business operations and has security teams on overdrive trying to expedite the patching process.
Keeping all patches up to date is key for business continuity as down time is the single greatest impact on business operations.
“You have to take the system completely out of operations and rebuild it and make sure all of the sub systems don’t have similar infections,” said Todd Feinman, CEO at Identify Finder.
Joey Peloquin, senior manager of threat intelligence and vulnerability management at Citrix, said that beyond down time exploit kits pose another threat to the enterprise: gathering credentials.
“It’s arguably a larger threat. If they are able to log keystrokes for domain credentials, they can potentially login and take advantage of rights and privileges in the environment. This could result in data exfiltration and leave the enterprise open to virtually every threat at that point,” Peloquin said.
“The best thing the industry can do is not write software that has vulnerabilities, but we know that’s not going to happen,” said Leonard.
Williams agreed. “Software itself has to be built with security in mind,” he said. “One thing to keep in mind is that these guys are really, really good at implementing new vulnerabilities."
Andrew Wertkin, CTO, BlueCat
As is often the case with solutions to security threats, there is no silver bullet. “Multiple strategies are necessary,” said Andrew Wertkin, CTO, BlueCat.
“There is traditional end point management, leveraging well known vulnerabilities that could have patches, and keeping protections up to date,” Wertkin continued.
Because enterprises are dealing with an expanding network and many more devices that might not have end point protection, “They need to be making sure any of the well know vulnerabilities that they use are patched,” Wertkin said. In addition, there are many other layers that need to be used.
Wertkin said, “DNS is used by exploit kits themselves or payloads to look for that suspicious behavior. There have been variances created and they often have similar patterns.” Wertkin also recommended, “Go to sites to see what the Internet gateway IP address is.”
While there are a variety of solutions in IT security, “In a world where we are only blocking what we know to be bad, we aren’t protecting ourselves. Enterprises need an appropriate security architecture where they can have a suspect-based and behavior-based analysis,” Wertkin said.
Attackers, though, are highly motivated. Most often they have a specific objective, said Ravi Devireddy, co-founder and CTO at E8 Security. Given that these attacks are not always random, Devireddy said, “The tools, techniques and procedures would be adapted and specific to the organization. It’s customized for that company.”
Criminals know that applying software patches can be intrusive and that not everyone is keeping their patches up to date, said Devireddy. “It’s a time consuming process. Increasingly we are seeing automation, but it does take time. The server side patch requires a reboot, and there is a business impact to that,” he continued.
Malicious actors then use social engineering tactics in a campaign sent to end users who often unknowingly click on a fraudulent link. “Security awareness training is a critical part of security. Criminals can easily identify staff and employees and know who is working where. They have a very specific and very effective campaign targeting people,” Devireddy said.
Other updated detection methods include testing sites from a client perspective, said Feinman. “If you examine from the client side, you are testing from the outside in. You would see some of this activity, some indicators of compromise.”
There are sandboxing techniques and solutions that would allow you to do the tests in real time, said Feinman. “Once you have a known identifier, those systems can be configured and quarantined. The tests can run in a live environment, but not one that can get out and infect other systems.”
Unfortunately, security practitioners are challenged by the fact that some exploit kits do check to see if they are running in a virtual environment. “Exploit kits don’t spread and pray,” said Peloquin.
“When a contact is made, that user is dropped off at a gate, and there is security profiling happening at that gate. If it detects a sandbox, it won’t execute a payload, so it can turn into a game of whack-a-mole,” Peloquin said.
Enterprises can benefit from threat intelligence, though. “If we have partners sharing threat intelligence, we can get ahead of the threat and block and manage,” said Peloquin.