The security experts at Cisco have observed an uptick in malvertising throughout the past month courtesy of the Angler Exploit Kit, which seems to have recently added some Microsoft Silverlight vulnerabilities to its bag of tricks.
This specific Angler campaign is carried out using two linked Silverlight vulnerabilities, CVE-2013-0074 and CVE-2103-3896, as well as bugs in Adobe Flash, according to a Monday post by Levi Gundert, technical lead for threat research with Cisco.
The malvertising threat is similar to other watering hole-type attacks. In this instance, a victim visits a legitimate website that serves a malicious advertisement, and is then redirected to a landing page that drops a trojan, according to the post.
“The trojan is labeled by anti-virus software as 'Pony,'” Gundert told SCMagazine.com in a Wednesday email correspondence. “This particular trojan sends infection notification to a domain with a corresponding A record IP address in Brazil on what appears to be a residential network.”
Gundert could not specifically say which legitimate sites were serving up malicious advertisements, but he did say these are high-traffic websites with ads likely being served, for example, every tenth or hundredth impression, as dictated by the advertising exchange.
When asked what users could do to mitigate this threat, Gundert immediately said to patch applications – particularly because Java and Flash get more attention, whereas Silverlight's presence flies under the radar and is not as widely acknowledged.
“The vulnerabilities are known and the exploit code is available so there's minimal [research and development] investment with guaranteed returns,” Gundert said. “As criminal owners update exploit packs and advertise the new release, it's helpful to include the newest exploits, which in this case certainly involves Silverlight.”