Exploit Kits: Making Instant Java Attacks (Part III)
The challenge for most businesses isn't the initial discovery of Java vulnerabilities, but the integration of zero-days into exploit kits. Cybercriminals can rent a hosted exploit kit with zero-days already in it, for as little as $200 a week. Fast integration of zero-day vulnerabilities provides attackers with an unlimited capacity to reconstruct exploits that bypass traditional signature methods like antivirus, firewalls and other controls. Exploit kits have taken a complex and costly process and reduced the effort, expertise and cost previously required to take advantage of vulnerabilities. The barrier to entry for cybercriminals is now incredibly low. Well-made kits do almost all the work for you, right down to hosting the binary, if you choose.
Blackhole, Cool, Gong da and Redkit are the exploits kits we see most frequently. Blackhole activity represents the biggest percentage of exploit activity we see, and for good reason. The owner of the Blackhole service is very adept at staying up-to-date with the most recent vulnerabilities, especially when it comes to Java zero-days. We have seen that this greatly increases the success of Java-related exploits. In fact, the Blackhole control panels our security researchers have cracked show a sizable disparity in Java exploit success versus other exploit types. Some studies suggest that Java exploits can represent nearly 80 percent of successful attacks perpetrated by Blackhole.
So how fast do exploit kits incorporate zero-days?
- Java vulnerability (CVE-2012-4681) was actually first discovered in the Gong da kit and incorporated into Blackhole within one week.
- The Blackhole kit owners quickly incorporated the Java vulnerability (CVE-2013-0422) within one week of discovery.
- The owner of the Blackhole and Cool kits also recently announced, "We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public..."
The more successful and highly managed exploit kits, like Cool and Blackhole, gradually retire older exploits and replace them with newer ones. However, our recent Websense Security Labs research illustrates that even less advanced exploit kits with a number of old exploits on hand can still prove successful. Based on our Java version research, at least theoretically, cybercriminals can use a three-year-old exploit and crack Java on nearly a third of endpoints.
In April, cybercriminals sought to take advantage of the horrific attacks at the Boston Marathon to infect computers using the RedKit Exploit Kit. Let's take a look at this campaign, intercepted by the Websense Security Labs, to understand how Java exploits are used in the Seven Stages of Advanced Threats.
Stage 1: Reconnaissance
Like many other campaigns, in this example, the cybercriminals are opportunists looking to monitor news and breaking events for a chance to launch a successful attack. The bombings at the Boston Marathon provided the opportunity for this specific campaign.
Stage 2: Lures
The bad actors then generated a spam email campaign with sensational headlines to exploit human interest in learning more about the situation, including:
- 2 Explosions at Boston Marathon
- Aftermath to explosion at Boston Marathon
- Boston Explosion Caught on Video
- BREAKING - Boston Marathon Explosion
- Runner captures. Marathon Explosion
- Video of Explosion at the Boston Marathon
Stage 3: Redirects
Once the link is clicked, the victim is brought to a page with video coverage of the breaking event. Unbeknownst to them, a hidden iframe redirects them to an exploit page, in this case:
- http://<IP Address>/news.html
- http://<IP Address>/boston.html
Stage 4: Exploit Kits
The RedKit Exploit Kit used in this attack scans for applicable vulnerabilities and in this occurrence, exploits an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file to the visitor's computer.
Stage 5: Dropper Files
This particular campaign used a non-standard dropper file, a downloader in the Win32/Waledac family to install two bots: Win32/Kelihos and Troj/Zbot.
Stage 6: Call Home
From here, the machine notifies the bot herder and validates communications.
Stage 7: Data Theft
In what can be the most dangerous stage for businesses, the machine is now set for long-term data interception on the device, passing through the device or accessible by the device. This also can change the endpoint into a new platform for new attacks like the sending of unsolicited email or the unwilling participation in distributed denial of service (DDoS) attacks.
Using analytics to break the chain
When you take the approach of looking at the entire attack chain for suspicious behavior, rather than waiting and hoping to catch something on the last step of the process, you have many more opportunities to spot and disrupt an attack - even if it's malware you've never seen before.
Rather than looking for a single object, at a single point in time, companies must learn to review the entire threat chain and examine multiple opportunities to disrupt attacks.
This approach is much more effective at spotting and stopping attacks rather than simply trying to spot an unknown object. Today's businesses need these layers of analytics, with each layer making it much more difficult for the bad guys to penetrate your networks and steal your data.
To address the risks from Java, while still enjoying the benefits, IT needs to develop a variety of polices to address the specific needs of certain groups within their organization... as well as re-evaluate their defenses to ensure that they are capable of identifying threats at multiple stages of the attack.
If you are interested in learning more about the Seven Stages of Advanced Threats, take a few minutes to watch an archived webinar about the seven stages for advanced threats and data theft, why current defenses fail, and which defense layers you should use to protect your network, resources and data.