Cherif Sleiman, VP EMEA at Infoblox discusses the increasing prevalence and risks posed by exploit kits, the evolution of this threat and how companies can defend against them
For several months now, there has been an exponential increase in the use of exploit kits to execute cyber-attacks. Even household names are not immune from this threat as the exploits available have ratcheted up in power and sophistication. Perhaps most famously, the Daily Mail’s hugely popular “Mail Online” site fell victim to a “malvertising” campaign that exposed millions of its readers to CryptoWall ransomware. This successful attack is believed to have its roots in an exploit kit.
The key to the growing popularity of exploit kits as the basis for cyber-attacks lies in the relative ease of use for cybercriminals by significantly reducing the level of technical knowledge required to deliver malware and other threats. This increases the pool of potential attackers, a fact made more significant when we consider that some exploit kits have been built quite deliberately with a user-friendly interface to make it even easier to manage and monitor malware and other attacks.
Exploit kits have previously acted as a vehicle for many different forms of malware, from malvertising or click-fraud attacks, through to ransomware or malware targeting users’ online banking portals. With the relatively newfound ease of delivering an attack via an exploit kit, it is perhaps unsurprising that they have quickly become the de facto method for some cybercriminals without the technical skills or inclination to script attacks of their own creation.
Unboxing an exploit kit
Typically, the infrastructure components of an exploit kit are threefold. First, the back end which is made up of the control panel and payloads. Then there’s the middle layer, housing the exploit itself and a tool which is effectively a “drill” designed to tunnel into the victim’s back end server. Finally, the remaining ingredient is the proxy layer, which executes the exploit on the organisation’s server. Although most exploit kits share broadly similar methodologies, differences start to creep in when we look at the types of vulnerabilities they seek to exploit, as well as the tactics used to navigate around an organisation’s defences.
Mobile: a moving target
Where once exploit kits were predominantly used to target desktop machines, the growing number of mobile devices in the world combined with an ever-expanding list of use cases, from email to mobile banking, mean that cybercriminals are increasingly switching their attention to mobile as a platform. Combine the ubiquity of mobile devices with low levels of security knowledge of most users, and mobile starts to look like a much softer target. As such, it’s not unreasonable to expect attackers to shift towards using web pages to deliver malware via a mobile browser, which is essentially the same approach as that used to deliver malware to desktop-based end points.
Once delivered successfully, the malicious cargo can now operate behind the firewall. From here, the malware can also spread to other devices on the network and connect with a command-and-control (C&C) server. Making this connection enables it to either exfiltrate data and/or download even more malicious software. This communication often requires the use of the target’s Domain Name Server (DNS), which is a good reminder of the importance
of securing DNS.