For several months now, there has been an exponential increase in the use of exploit kits to execute cyber-attacks. Even household names are not immune from this threat as the exploits available have ratcheted up in power and sophistication. Perhaps most famously, the Daily Mail’s hugely popular “Mail Online” site fell victim to a “malvertising” campaign that exposed millions of its readers to CryptoWall ransomware. This successful attack is believed to have its roots in an exploit kit.
The key to the growing popularity of exploit kits as the basis for cyber-attacks lies in the relative ease of use for cybercriminals by significantly reducing the level of technical knowledge required to deliver malware and other threats. This increases the pool of potential attackers, a fact made more significant when we consider that some exploit kits have been built quite deliberately with a user-friendly interface to make it even easier to manage and monitor malware and other attacks.
Exploit kits have previously acted as a vehicle for many different forms of malware, from malvertising or click-fraud attacks, through to ransomware or malware targeting users’ online banking portals. With the relatively newfound ease of delivering an attack via an exploit kit, it is perhaps unsurprising that they have quickly become the de facto method for some cybercriminals without the technical skills or inclination to script attacks of their own creation.
Unboxing an exploit kit
Typically, the infrastructure components of an exploit kit are threefold. First, the back end which is made up of the control panel and payloads. Then there’s the middle layer, housing the exploit itself and a tool which is effectively a “drill” designed to tunnel into the victim’s back end server. Finally, the remaining ingredient is the proxy layer, which executes the exploit on the organization’s server.
As well as being made up of similar components, there is usually no great variation in the process by which an exploit kit delivers its payload:
Although most exploit kits share broadly similar methodologies, differences start to creep in when we look at the types of vulnerabilities they seek to exploit, as well as the tactics used to navigate around an organisation’s defences.
Mobile: a moving target
Where once exploit kits were predominantly used to target desktop machines, the growing number of mobile devices in the world combined with an ever-expanding list of use cases, from email to mobile banking, means that cybercriminals are increasingly switching their attention to mobile as a platform. Combine the ubiquity of mobile devices with low levels of security knowledge of most users, and mobile starts to look like a much softer target. As such, it’s not unreasonable to expect attackers to shift towards using web pages to deliver malware via a mobile browser, which is essentially the same approach as that used to deliver malware to desktop-based end points.
Once delivered successfully, the malicious cargo can now operate behind the firewall. From here, the malware can also spread to other devices on the network and connect with a command-and-control (C&C) server. Making this connection enables it to either exfiltrate data and/or download even more malicious software. This communication often requires the use of the target’s Domain Name Server (DNS), which is a good reminder of the importance of securing DNS.
Know your enemy
Some exploits are more common than others. Here’s a quick run-down of the exploit kits that should be on your radar.
Defensive tactics: A standard approach won’t work
Defending against exploit kits is challenging. In addition to the administrative issues inherent in managing software updates in a large enterprise, new vulnerabilities are discovered frequently, and new exploits are constantly being developed to take advantage of those vulnerabilities. There are two common approaches to defending against exploit kits that many companies employ today:
More effective together: A multi-layered strategy
As the sophistication of exploit kits has increased, it’s gotten to the point that no one defense is effective on its own. Multiple layers are required for adequate protection that includes protected endpoints and an IPS/IDS with current signatures to identify and block known attack code. Importantly, this should be backstopped by an IP Policy RPZ containing the IP addresses of known attack servers, to block any DNS lookups that resolve to the hostile IP address, regardless of the specific hostname being looked up. (An RPZ, or “response policy zone,” is a file that contains information about malicious IP addresses, and instructs the DNS server how to treat requests according to policies set by the administrator.) Targeting IP addresses versus domains is more effective, as they typically are active for hours or days – versus minutes – before disappearing.
About the Author
Cherif Sleiman is VP EMEA at Infoblox (News - Alert). Sleiman has more than 22 years of sales, technical and business experience with some of the world’s leading networking and telecommunications technology companies including Cisco Systems and Nortel (News - Alert) Networks. He is a subject matter expert and well versed in the areas of security, compliance, cloud, and technology trends.