Exploit kits have been frequently used by cybercriminals over the last couple of years to infect devices with malware and cause damage – be it holding data for ransom or stealing the data for profit. Exploit kit use is on the rise again as indicated by the latest Infoblox DNS Threat Index report which shows a 75% increase in exploit kit related activity in Q3 2015, compared to the same quarter in 2014.
There are several reasons exploit kits can be a dangerous cyber threat in recent times. Here are the top five.
1. Using exploit kits requires minimal technical expertise.
Sophisticated cybercriminals create exploit kits by doing the hard work of figuring out vulnerabilities, attaching payloads to kits and packaging them for use. Then anyone who wants to attack a target can simply rent the exploit kit for a nominal fee. This greatly amplifies the impact of exploit kits and provides small time thieves with dangerous ammunition to go after your data.
2. They target security holes in popular software.
Exploit kits take advantage of security holes and vulnerabilities in popular operating systems and software like Adobe Flash and Java. While these are software that you and I use in everyday life, we may not always click that “update” button when a new patch or fix is pushed to our device. People using older versions of Java or browsers maybe susceptible to certain exploit kits.
3. They are best at exploiting zero-day vulnerabilities.
Zero day vulnerabilities are security holes in software that no one has detected before – not even the manufacturers of the software. This also means that there is no patch or fix available to rectify the holes. Certain exploit kits like Angler are very effective in incorporating zero-day vulnerabilities into their package, making it difficult for traditional antivirus technologies to be effective.
4. It is easy to lure victims.
Exploit kits use the age-old method of spam or malvertising to lure users to a compromised site. When a user inadvertently clicks on a malicious ad or a malicious link, he is taken to a compromised site with the exploit kit. The exploit kit is then delivered along with a malicious payload onto the victim’s device. This malicious payload can be ransomware like Cryptolocker or
Cryptowall. It could also be malware that may attempt to steal sensitive data such as regulated data, personally identifiable information (PII) or intellectual property.
Cryptowall 3.0 ransomware operators typically use the Angler exploit kit to launch attacks and have been successful in raking in about US$325 million in ransom mostly through Bitcoin payments, in a recent attack mentioned in this Dark Reading article.
Ensuring that end users are sufficiently trained in security best practices and policies is key to preventing exposure.
5. There are many of them.
If you thought the Angler exploit kit was the only one we need to worry about, think again. While Angler may be the most sophisticated and popular exploit kit, Neutrino and Magnitude follow closely on the heels of Angler as the favorites of cybercriminals. Fun! Another common exploit kit is Nuclear.
Angler is notorious for pioneering the “domain shadowing” technique and for incorporating malicious URLs into legitimate ad networks, infecting visitors who are going to these websites that are generally considered safe.
Magnitude is different from other exploit kits in that it uses a traffic-sharing model, where instead of renting the kit, cybercriminals need to share a portion of the traffic related to their campaigns with the exploit kit administrators. The administrators then use this traffic to carry out their own malicious activities.
Most exploit kits use a similar method of infection but vary in the type of vulnerabilities they take advantage of and the tricks they use to defeat antivirus defenses.
So what can you do about exploit kits?
Protecting users, data and applications can be achieved by ensuring that your network architecture is robust and secure enough to address these threats not just in one stage of the exploit, but across the entire kill chain. Organizations should not just invest in perimeter protection (we all know the perimeter is getting ambiguous as the workforce becomes distributed and mobile) but also incorporate defense-in-depth strategies that span across the network and security layers. Exploit kits, command and control malware, phishing and other threats use DNS as their backbone. So having security built into the DNS infrastructure and sharing threat data between network and security solutions can be an effective mitigation technique.