Cybersecurity Insight

Neovera Threat Intelligence Short Report – March 15, 2016

15 Mar

Exploit Kits (EKs) are malicious code embedded in a website. They are commercially available and many are easy to use (even by those cybercriminals with little coding experience).  They contain pre-packaged code that seeks to exploit out-of-date browsers, insecure applications, or vulnerable services.

They are used in ‘Drive-by Download’ attacks that target the visitors of a website. When a visitor browses to a site hosting an EK, the Kit uses all of its exploits to attempt to compromise the visitor’s system and install malware, including ransomware. Cybercriminals constantly update their malware to evade detection. Neovera’s security partner, Palo Alto Networks’ threat research team, recently documented over 90,000 websites compromised by the continuously evolving Angler EK.

Unfortunately, the presence of these Kits is undetectable by most users. They can reside on a legitimate site that has been compromised, or on a malicious site masquerading as a legitimate website. EKs have been around for several years, yet continue to be a tool of choice for cybercriminals because end-users continue to run vulnerable software.

How Neovera Can Help

There are three absolutes in life: Death, Taxes, and End-Users’ Systems Being Owned. We can’t help with death and taxes, but we can help with detecting system compromise. You can’t rely on endpoint protection systems to prevent system compromise, because there will always be bad actors looking to exploit your users’ vulnerable systems.

You need the ability to detect indicators of compromise (IoCs) in your network quickly, to be able to minimize the damage that compromised systems can cause. To this end, Neovera continues to research and update the ability of the unified security management (USM) platform to detect new EKs, or new variations on existing Kits.

The team recently updated the USM platform’s ability to detect EK activity by adding IDS signatures to detect the malicious traffic on your network and correlation directives to link events from across your network that indicate systems compromised by this type of malware.

Updated Detection Technique – Exploit Kits

Exploit kits are used in what are called “Drive-by Downloads.” Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We added IDS signatures and updated correlation rules to enhance exploit kit detection:

  • Exploitation & Installation, Malicious website – Exploit Kit, Angler EK
  • Delivery & Attack, Malicious website – Exploit Kit, Malicious redirection

Next Steps

Does your organization want to see if this is happening in your environment? Contact Neovera at (866) 636-8372 or to schedule a free consultation. We will demonstrate how our comprehensive Cyber Security Services can help determine if your systems are already compromised from EKs or other types of malware, and detect suspicious network activity associated with Drive-By Downloads and other types of threats.