These days you don’t even have to click on a link or go to a suspicious website to be infected by malware. In fact, a user can be infected while simply reading the news on a legitimate site. How does this happen? Bad actors use “exploit kits,” or prepackaged tool kits to silently install malware on a computer or device without any user activity required. As you can imagine, this stealthy, virtually undetectable method makes it very difficult for cybersecurity teams to warn and defend users and businesses against these scams.
In 2015, there was a spike in exploit kit activity due to a large malvertising campaign that delivered malicious ads through legitimate ad network channels to mainstream websites. The campaign redirected users’ browsers to an exploit kit called Angler – the most widely used and aggressive exploit kit on the market at the time. In mid-2016, however, it seems Angler was shut down, possibly due to the arrests of cybercriminals in Russia. Other exploit kit providers are currently jockeying to fill the void, including RIG, Astrum and Sundown (see “Key exploit kit players” section below). Although exploit kit activity has calmed somewhat, it’s probably only a matter of time until it ramps up again, so cybersecurity teams need to remain on alert.
How exploit kits work
Before I discuss specific exploit kits, here’s a little background on how exploit kits work. Exploit kits are designed to take advantage of vulnerabilities found in operating systems, web browsers, and browser plugins such as Flash, Silverlight, or Java to deliver a payload, which can be any type of malware, including ransomware, Remote-Access Trojans and malware that collects login credentials. Exploit kits are most typically delivered via malvertising, i.e., fraudulent ads, which can work two ways. As with more traditional approaches like phishing, some malvertising uses social engineering tactics to prompt users to click on the ad, which then allows the malware to be installed on the user’s computer or device. Much more subversive is “drive-by downloading,” which can happen automatically when a user simply visits a web page that has a malicious ad on it.
Key exploit kit players
Here’s a quick run-down of the exploit kits that should be on your radar.
- RIG (variants include RIG-V, Empire Pack): RIG is currently the most active of the for-hire exploit kits. Most of the major actors transitioned to RIG after the Nuclear and Angler exploit kits shut down in mid-2016 and Neutrino went private in late 2016. RIG frequently uses randomly generated domains in the .top TLD and points to IP addresses at Russian hosting services. There are three major variants: RIG ‘classic’, Rig-V, and the Empire Pack. From the victim’s perspective there is little to distinguish the versions, but RIG-V uses less predictable URL patterns and generally deploys newer exploit shellcode; this reduces the effectiveness of intrusion prevention/detection system (IDS/IPS) defenses. The Empire Pack combines the newer exploit code and URLs with traffic management features.
- Astrum, aka Stegano: First detected in 2014, Astrum was recently discovered using innovative steganographic techniques to hide attack code in the alpha-channel of images. This approach is used to sneak malicious code into advertising networks/malvertising, which results in high-profile websites exposing visitors to malicious code.
- Sundown: More notable for stealing from other exploit kits than developing its own unique attacks, Sundown does have one innovation not seen with other kits: the acquisition of domains registered by innocent parties that are near expiration. Because the domains have generally been parked or used for banner-farming before being acquired by the exploit kit operators, the domains used by Sundown generally have a history of legitimate use and will not be reliably blocked by reputation-based systems.
- Neutrino: Neutrino briefly became the preferred for-hire exploit kit after the Angler shutdown. Then it went private, ceasing to perform exploitation-as-a-service. This resulted in a general transition to RIG. Neutrino is still active, but at a greatly reduced level.
- Magnitude: Magnitude is another private exploit kit, primarily distributing ransomware. It has recently been focusing on victims in a specific geographic area, primarily China and South Korea. This may be an attempt to avoid detection by cybersecurity teams operating in the US and EU.
Defensive tactics: A standard approach won’t work
Defending against exploit kits is challenging. In addition to the administrative issues inherent in managing software updates in a large enterprise, new vulnerabilities are discovered frequently, and new exploits are constantly being developed to take advantage of those vulnerabilities. There are two common approaches to defending against exploit kits that many companies employ today:
- Intrusion prevention/detection systems (IPS/IDS), which use signatures to scan network traffic for known attack code, are the most popular approach. However, the effectiveness of this approach is dependent on having a set of current signatures that will reliably identify and block attacks, without interfering with legitimate network traffic. The constant development of new exploits reduces the effectiveness of signature-based defenses, which rely on recognizing the exploit code used to exploit the system.
- Blacklisting malicious domains to block traffic to them is almost totally ineffective, as the domains used to serve attack payloads are deployed and discarded over a very short timeframe (often less than an hour), while block lists typically are updated every 24 hours. The exploit kit operators frequently hack websites to add hidden links to the exploit kits, or sneak malicious links into advertising networks, so even high-profile websites maintained by a team of professional full-time webmasters can be dangerous.
More effective together: A multi-layered strategy
As the sophistication of exploit kits has increased, it’s gotten to the point that no one defense is effective on its own. Multiple layers are required for adequate protection that includes protected endpoints and an IPS/IDS with current signatures to identify and block known attack code. Importantly, this should be backstopped by an IP Policy RPZ containing the IP addresses of known attack servers, to block any DNS lookups that resolve to the hostile IP address, regardless of the specific hostname being looked up. (An RPZ, or “response policy zone,” is a file that contains information about malicious IP addresses, and instructs the DNS server how to treat requests according to policies set by the administrator.) Targeting IP addresses versus domains is more effective, as they typically are active for hours or days – versus minutes – before disappearing.
Get help to block malicious IPs
Exploit kits, malware, phishing, DDoS attacks – enterprises are being constantly bombarded by something. That’s why Infoblox makes it easy to enable the Exploit Kit RPZ with Infoblox ActiveTrust, and provides a curated 24/7 real-time feed to the RPZ of known malicious IP addresses. This is intel that will help raise the red flag no matter how quickly bad actors rotate domains. If you already use Infoblox devices, here’s a quick video walkthrough on how to enable the Exploit Kit RPZ feed and other Infoblox Threat Intelligence feeds. In order to deploy this, you will need an Infoblox DDI appliance (physical or virtual) with at least a DNS and RPZ license.
Exploit kits are yet another tool in the “malware as a service” toolbox that is making it easier and easier for cybercriminals without much technical expertise to perpetrate sophisticated scams. To stay ahead of them, it’s smart to leverage your resources and work with experts that can provide the insights, technology and services you need.