Security Experts:

Exploit Kits Take Cyberattacks to the Masses. But They're Preventable.

Exploit Kits Can be Stopped When the Proper Steps are Taken

Exploit kits are a popular method for criminal groups to compromise victims’ systems, as they provide a stealthy way to infect hosts, they’re automated (making them easy to use), and they can be rented or sold to other malicious actors for thousands of dollars a day.

In fact, an entire ecosystem has come into being around exploit kits, creating a booming black market for renting the malicious tools, as well as for freelance groups who use exploit kits to provide an “Infection as a Service” model to less-technical customers. Their continued prevalence means security teams need a deeper understanding of the threat they pose, along with actionable steps to prevent exploit kits from being used against their organization.

Before we go further, a quick explanation of exploit kits is in order. These tools were developed to let malicious actors automatically exploit vulnerable computers browsing the internet, simplifying a series of steps to take control of users’ machines. In general, exploit kits automate a series of steps, eventually leading to the delivery of a malware payload.

Here are common steps used by these malicious tools:

• Users visit a “landing page,” which can be a trusted site that has been infected by the exploit kit operator, or a custom-built page used just for a specific campaign.

• The landing page gathers information about the victim’s Windows computer, which is used to identify a vulnerable application, such as Adobe Flash Player, Java Runtime Environment, Microsoft Silverlight or web browsers.

• The exploit kit will send an appropriate exploit for any vulnerable application it finds.

• Once the initial foothold has been established, the exploit kit will deliver a malware payload and infect the machine.

The end goal of using an exploit kit is generally profit. Criminals can leverage the tools to deliver such attacks as ransomware, which directly generate revenue, or rent them out for large ongoing payments. As certain kits become more widely used, they attract attention from researchers and law enforcement. We saw this in the news in June when Russian authorities arrested a cybercrime gang responsible for the Angler exploit kit. At the time of the arrests, Angler was the most popular exploit kit on the market. After the arrests, the kit was taken offline, but replacements were soon to follow. The most popular of them – Neutrino and RIG – are, as of this writing, widely available online.

So the bad news is that exploit kits are widely available to anyone who wants to be a malicious actor, even someone with no technical expertise, and the number of cyberattacks will continue to rise. The good news is exploit kits aren’t using anything truly new to infect hosts – just exploits and malware. The innovation they bring to the table is making relatively advanced attacks available in a simple, automated manner to anyone. Luckily, security teams already know how to defend against exploits and malware: not only through preparation and detection, but most importantly by preventing these threats before they can cause harm.

Proper preparation allows an organization to reduce the ways exploit kits have to infect an organization, with three key attack surface reduction steps below:

• Keeping applications fully up to date. Since exploit kits leverage vulnerabilities in applications, make sure all software on PCs (particularly web browsers) are up-to-date with the latest security patches.

• Backing up vulnerable data. A common payload for exploit kits is ransomware. If your data is held hostage in a ransomware attack or otherwise at risk from malware, a proper backup protocol can keep a risky situation from turning into a catastrophe.

• Limiting access to risky applications. Many exploit kits leverage Adobe Flash or Java Runtime Environment for initial exploitation, and organizations should consider limiting access to these potentially risky applications for attack surface reduction.

Preventing an attack from even infecting an organization is the ultimate goal for any security team; it’s much less time-intensive and disruptive to stop an exploit kit before it delivers its payload than it is to clean up a network after infection. Prevention is possible, as long as security teams do the following:

• Prevent malware and exploits on the network, endpoint and cloud automatically. We have seen exploit kits primarily leveraging older attacks, making them a prime target for prevention. Security teams must also consider adding the ability to quickly enforce protections for newly discovered threats as they occur, stopping the spread of novel exploit kit activity.

• Control web browsing. As exploit kits rely on infected websites, restricting access to risky site categories, such as those that have been known to host malware, phishing or even unknown sites. As exploit kits often rely on compromising trusted sites, or leverage malvertising, automating the blocking of new sites becomes critical.

• Implement policy restrictions. Local security policies on Windows hosts can be updated to create software restrictions that keep files from running in certain locations, such as the Outlook temporary directory. Setting these policies correctly can ensure that a malicious executable file delivered via an exploit kit cannot be opened and run.

• Use advanced endpoint protection. Antivirus solutions have been available for years, and there are many products on the market targeting consumer and enterprise users. However, as legacy antivirus solutions rely on vendors to create signatures to identify new malware, networks will be at risk until a signature is created and downloaded to the host. Newer endpoint protection offerings don’t target individual malware, but the techniques used to deliver the malware (like an exploit kit) instead, removing the need to constantly update malware signatures.

While exploit kits are certainly contributing to the steady rise in the number of cyberattacks, in the end, the methods they use to infect endpoints and networks can be stopped provided the proper steps are taken.

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.