Most network architects I’ve worked with seem quite familiar with botnets, but exploit kits (EKs) are somewhat of a mystery. I’ve recently come across a couple of good papers explaining the topic, one from CERT-UK titled ‘Demystifying the exploit kit’, available at the following URL:
Exploit kits are provided and used by cyber criminals on a truly industrial scale. They are automated toolkits that scan a potential victim’s web browser, analyse it for vulnerabilities and then exploit those vulnerabilities to deliver a malicious payload. The most abundant and well-known EK is Angler, but it’s estimated that there’s over 30 EKs in the wild. Along with professional-looking management and reporting GUIs, some even come with access to a service desk and service level agreements!
The choice of payload is up to the criminal and many crimeware kits can perform multiple functions. For example, the well-known Zeus malware can take part in DDoS attacks, create spam, use your CPU to perform crypto-currency mining, steal your banking credentials, provide criminals with access to your hard drive etc.
I’ve seen the EK process broken down in a number of different ways by different authors. I’m going to paraphrase some of the CERT-UK and Trend Micro articles, but using a slightly different description of the process.
Exploit Kit Infection Chain
Contact the victim
A victim can be redirected to an exploit kit in several ways. One is simply a URL in a phishing email, redirecting a potential victim to the attacker’s landing page.
More sophisticated attacks include compromising a legitimate website, maybe a known watering hole if it’s a targeted victim. Once a legitimate website has been compromised, the attacker redirects the victim to the landing page where the exploit kit is hosted. Websites that use unpatched or outdated content management systems are often targeted. Credentials can also be hacked, for example by using a brute force attack or default logins that haven’t been changed.
There’s also been some well known attacks using malvertising (‘malicious advertising’). In these attacks, malicious adverts are inserted into legitimate websites or advertising networks, redirecting victims to the attacker’s landing page when the user clicks on the advert. Companies including the New York Times, match.com and eBay have all been susceptible to malvertising attacks.
Redirect to landing page
This could just be a malicious link in the phishing email or malvertising.
For web server compromises, this is typically done by the attacker inserting an iframe (inline frame) into the HTML of the website. Often, antivirus software scans for these malicious iframes and the attackers try to ‘obfuscate’ their iframes to avoid detection. Some advanced methods include using steganography to put the code into a picture file, for example using the pixel colours in the image that are subsequently converted into the actual code.
The victim may be redirected directly to the EK landing page, or more likely via a proxy server at a compromised site.
Profile the victim
The EK may provide automatic updates with the latest vulnerabilities, or the the criminal may have to specifically buy exploits to be uploaded via the management portal. For a zero-day exploit, this could be quite expensive, but the chances of a successful attack are higher.
Web browsers that appear to be running in a virtual machine may be excluded from exploitation, as this could indicate the presence of a security appliance or antivirus lab, as opposed to an actual web user. The attacker wants to hide from the security companies the fact that there is malicious code on the site. Some exploit kits are also able to detect when security software is installed on the endpoint and abort the download, so as not to alert the user of malicious code.
The attacker may also target certain victims, for example a specific country.
Deliver the payload
The malicious payload is now delivered to the victim. It could be adware or something more malicious such as banking Trojans, ransomware, keylogger etc. It could be an off the shelf payload, or it could be something that the attacker has coded.
Payloads are often obfuscated, so as not to be detected by intrusion prevention systems / anti-virus etc. For example, the payload could be encrypted and only decrypted into memory, meaning that it can not be scanned as a file on the hard drive.
Criminals often upload their payloads to online virus portals to see whether their malware is detected by security products. If it is, they can modify it to avoid detection or alternatively exclude victims running specific security products from exploitation. Sites such as scan4you operate a subscription service for cyber-criminals.
How do I protect myself?
There’s no one mitigation that’s likely to prevent the impact of EKs due to the speed with which they can utilize new exploits and their evolving obfuscation techniques. A defence in depth approach is needed, which includes prevention, detection and recovery capabilities. Infections are inevitable in an enterprise and processes need to be in place to deal with this.
The obvious first defence is patching, especially user’s web browsers, plugins and operating system. This will help to reduce the likelihood of an attacker using an exploit before a patch can be created and the organisation rolling it out. Of course, this won’t guard against zero-day vulnerabilities. Similarly, keeping signatures in antivirus, intrusion prevention systems etc. up to date will help to detect and mitigate the latest attacks.
General firewall hygiene, for example locking down unused ports and denying HTTP requests to non-standard ports. URL filtering to help ensure users can only access trusted sites.
Behavioural analysis, such as sandboxing and SIEM tools, will help to prevent zero-day exploits and obfuscation techniques.
Use modern browsers and browsers that have inbuilt sandboxing functionality. Ensure users do not browse with admin privileges on their machines, as this may prevent malicious code from installing.
Often overlooked, user awareness will help to reduce the number of malicious links that get clicked on and also make it more likely that users will report issues so that action can be taken in a timely manner.