Finding secure advantage in the explosion of exploit kit activity


According to the latest Infoblox DNS Threat Index, which measures the creation of malicious Domain Name Service (DNS) infrastructure, just four examples accounted for 96 percent of the total activity in the 'exploit kit' category during the third quarter of 2015.

The exploit kits in the hit parade were Angler, Magnitude, Neutrino and Nuclear.

This represents, quarter on quarter, a 75 percent increase in the creation of malicious domains by cyber-criminals unleashing exploit kits.

Everyone knows, on both sides of the IT security fence, that exploit kits are big news. Attackers love them because they automate the process of committing cyber-crime to a large degree.

Criminal coders love them as they represent a relatively low risk profit maker (why hack when you can, instead, sell the tools to let someone else do it?).

We hate them because they are an enabler for otherwise unskilled criminals who can now rent or buy their way into the malicious attacker fraternity.

Craig Sanderson, senior director at Infoblox, points out that the bad guys need to register domains in order to build the drive-by locations that are popularly used by exploit kits to distribute their malicious payloads, as well as to host the command-and-control servers.

"A recent Angler attack on Mail Online implanted malicious ads on the site for five days," Sanderson says, "potentially exposing millions of online visitors to infection." What's more, exploit kits are constantly evolving in order to take advantage of newly discovered vulnerabilities.

One security expert who spoke to explained how this explosion in exploit kit activity can be used to help harden your security posture.

Before we get to his revelations though, we asked some other experts just how big a role do exploit kits actually play in the overall scheme of cyber-crime?

Andrew Rogoyski, VP cyber security services at CGI UK and chair of the Cyber Security Group of TechUK, is in no doubt that exploit kits "represent a significant threat to any organisation's security because they automate, scale and de-skill much of the attack process."

He told SC that reducing an organisation's vulnerability to exploit kits includes standard recommended practices such as awareness and training through to patching and vulnerability management. "More advanced solutions include sandboxing and behavioural analysis, URL blacklisting and whitelisting, web reputation services, amongst other measures," Rogoyski continued. “Additionally, information sharing initiatives, such as the Government hosted CISP, remain a helpful part of the response."

Meanwhile, Jérôme Segura, a senior security researcher at Malwarebytes, sees exploit kits when used with malvertising campaigns and compromised sites as the number one vector for malware infections. "Throughout 2015 not only have we seen vulnerabilities weaponised in less than a day after being made public," Segura told us, "but we've also witnessed zero-day exploits where even the most up-to-date systems could still get compromised."

Contrary to other methods such as social engineering, exploit kits operate on the assumption that no interaction is required to get infected. Simply browsing to a site, any site, can lead to a drive-by download attack without your knowledge or any action on your part. "For this reason," Segura continues, "exploit kits are very sought after and development of new exploits is in high demand on the black market."

As for what can be done to mitigate against exploit kits, Segura accepts that the answer isn't an easy one. "Most exploit kits operate behind the shadows or from hosts that are out of certain jurisdictions," he explains. "Their infrastructure contains multiple layers to ensure that the master servers are not easily identifiable and remain operative despite attempts at blocking or taking them down."

Indeed, one popular technique to distribute exploits is to rely on reverse proxies which are often legitimate websites whose DNS entries have been altered. This allows threat actors to create dozens of different subdomains and rotate through them frequently to evade blacklisting but also to remain protected behind this added layer.

"Our efforts to track down criminal infrastructure must take these tactics into account," Segura concludes. "But we also need better cooperation with hosts and registrars to help with the takedown of known malicious actors."

A big part of the work to defend against exploit kits in particular is intelligence gathering from various sources in order to be on the look out for new trends and techniques cyber-criminals have in mind.

"Unfortunately, there will always be enough software vulnerabilities to fuel this economy and playing the patching game is simply not realistic," says Segura. "There was a time when zero-days were used sparingly on targets of interest. 2015 has taught us that zero-days are also used against consumers and businesses in massive malvertising campaigns from well-known and usually trusted publishers."

Fraser Howard, a principal security researcher at Sophos, agrees that exploit kits represent arguably the biggest problem we have on the web today as far as malware goes. "A handful of exploit kits battle for supremacy," he told "But Angler has been the dominant force in 2015, accounting for over 60 percent of the instances of exploit kits seen in SophosLabs." In the Sophos stats, Nuclear was the next most prevalent exploit kit at just over 20 percent with other kits like Magnitude, Fiesta, Neutrino all around the four or five percent mark.

"If we look at Exploit kits from more of an infrastructure perspective," Howard said, "we can measure the distribution based on the unique number of hostnames being used by the kits. This shows a smaller gap between prevalence of the top kits but Angler is still way out front at over 40 percent of all instances and Nuclear just over 20 percent."

Taking a look at the absolute numbers, the last three months of 2014 versus the same for 2015, Sophos saw a significant increase in volume, approximately double in fact.

Sophos also saw that exploit kits are being used to infect users with a diverse range of malware payloads, including Cryptowall (ransomware), Tinba (banking), Bunitu (banking) and Teslacrypt (ransomware).

"This reflects the fact that these kits are simply tools of the trade," Howard explains, "used by criminals to attempt to infect users with their chosen malware."

According to Sophos, one big feature of recent activity has been domain shadowing, where the DNS records for a legitimate site are hacked in order to hide the hostname used for malicious activity. "Angler was one of the first exploit kits to use this technique," Howard said, "but since then, others are also adopting this technique."

Domain shadowing requires criminals to be able to modify DNS records for legitimate sites. This is most likely facilitated through stolen credentials. In the same way that site owners have little understanding how compromised content on their web site can be used by criminals, the evidence suggests they have little comprehension of the importance of DNS records.

Fraser Kyne, principal systems engineer with Bromium, isn't surprised at the explosion of exploit kit usage, telling that they have "effectively democratised hacking." Using these tool kits the technically advanced, expensive and time-consuming efforts of hacking have been removed; and anyone can use them.

"There is a demand for these tools, so there's a ready supply," Kyne continues. "If you stop one, others will simply spring up to replace it. Exploit kits play an active role in many attacks, but highly targeted attacks may be specifically crafted instead – using known or unknown exploit methods."

Some security tools claim to be able to stop exploit kits by looking for telltale signs. However, Kyne says that with simple tweaking these kits can be morphed to easily bypass detection. "There is even competition between exploit kits to prove whose is better in terms of both functionality and detection evasion," Kyne said. "Realistically the only way to prevent these threats is to isolate them. Microvirtualisation provides a practical means of achieving this."

We will leave the last word to Brian Vecci, Technology Evangelist at Varonis, who said, "It's important to note that an exploit kit is just a package of pre-existing exploits designed to take advantage of known vulnerabilities. Their utility is in being able to hit a variety of possible weak spots in a single delivery package, increasing the odds that one or more of those weaknesses may be exploitable on a given system."

For administrators and information security professionals, this is a double-edged sword. Because exploit kits can take advantage of a large number of potential vulnerabilities at one time, administrators need to be vigilant in keeping systems properly secured and users trained – one bad click can unleash a swarm of attacks and even if nine out of 10 are blocked, that last one will get you.

"On the other hand," Vecci said, "the popularity of exploit kits gives administrators some advantage in focusing their remediation and hardening efforts."

After all, as Infoblox noted, just four kits made up 96 percent of total activity. "Analysing the payloads of those four particular kits will give administrators a clear path to preventing them having any success on their networks," Vecci said. "Exploit kits like these can help administrators pinpoint and then remediate vulnerabilities in their networks and systems."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.