CVE ID | CVE-2015-0310 | CVE-2015-0311 | CVE-2015-0313 |
Flash Player version | Flash 15.0.0.242 | Flash 16.0.0.257 | Flash 16.0.0.296 |
Exploit Kit | Angler EK | Angler EK | HanJuan EK |
Date discovered | 01/16/15 | 01/21/15 | 02/02/15 |
In the wild since* | 01/16/15 | 01/21/15 | 12/10/14 |
Discovered by | Kafeine | Kafeine | TrendMicro |
Patched | 01/22/15 | 01/24/15 | 02/05/15 |
* This is an estimate based on the data available |
All three zero-days were found in non-targeted attacks distributed via exploit kits with malvertising being one of the primary infection vectors.Malicious ads placed on popular websites (DailyMotion, The Huffington Post, Answers.com, etc.) were responsible for exposing millions of visitors to these zero-days.
Consumers and businesses even running the latest versions of Internet Explorer or Firefox and the Flash Player were susceptible to becoming immediately infected (provided they had no other security solution that blocked the attack and malware).
One of the zero-days (CVE-2015-0313) was active in the wild for almost two months, an unprecedented length of time for such a wide malvertising campaign.
Figure 1: Timeline of a zero-day via a malvertising campaign
For the CVE-2015-0313 campaign, cyber-criminals paid an average of $0.75 per each 1000 (CPM) pre-qualified users exposed to the infected adverts. However, this dropped to as low as $0.06 per CPM during less trafficked times of day and on lesser-known websites.
This nefarious use of the online ad industry is facilitated by a mechanism known as real-time bidding (RTB). RTB allows advertisers to bid in real-time for specific targets (based on age, geolocation, device type, etc) and display creatives (the adverts) only for these users.
This is not only cost-efficient (you only pay for the auctions you win) but also very effective because rogue advertisers can leverage the power of ad networks to weed out non-genuine users or those that should not be targeted by exploits (i.e. non Windows operating systems).
Exploit kit authors leverage the most popular software vulnerabilities to build the most effective tool they can. For years they simply reused older flaws which could be dealt with by patching on a regular basis.
In the past year, this position has changed and new vulnerabilities are found and weaponized at a much faster rate. Combine this trend with the fact that rolling out patches requires time and testing for businesses and you see the issue: A window of opportunity to exploit systems emerges.
While keeping systems up to date remains one of the most important pieces of advice against exploits, zero-days make it completely irrelevant.
The threat landscape is evolving at a rapid pace and cyber criminals are getting better, not simply reusing old code and vulnerabilities but finding new ones of their own. This is a game changer because there is a lack of awareness on zero-day threats and most businesses or consumers aren’t properly equipped to deal with them.
Most of the current solutions at the gateway or end-point are reactive and based on signatures. As we have seen it time and time again, this approach is ineffective against brand new exploits and malware.
Anti-Exploit technology bridges the gap between vulnerabilities (known and unknown) and malware infections by mitigating exploits. Malwarebytes Anti-Exploit uses a combination of an enforcement layer and protection layers to block exploits.
The enforcement layer makes sure that DEP and ASLR are active on x64 systems and also adds anti-heap spraying (memory exploitation) technique. The protection layers monitor for Operating System bypassing techniques and malicious API calls as well as unintended application behaviors.
Layer 0 |
Enforcement Layer, set DEP on, Anti-Heap Spraying, Bottom-UP ASLR. |
Layer 1 |
Stop OS Protection bypassing techniques (ROP, Stack Pivoting…) |
Layer 2 |
Stop malicious Windows API calls. |
Layer 3 |
Stop malicious behavior of an application based on its family (Office, web browser, multimedia family, PDF…) |
Figure 2: Malwarebytes Anti-Exploit protection layers |
Malwarebytes Anti-Exploit stopped (CVE-2015-0313) two months before it was patched and also neutralized both CVE-2015-0310 and CVE-2015-0311, thanks to its proactive approach.
While one could have foreseen Flash zero-days for the year 2015 (based on the recent shift as the most desirable plugin to exploit), witnessing three zero-days happening in large scale attacks so close to one another was a unique situation.
To face this new reality, businesses and consumers must adapt as well by adopting new tools to safeguard their assets. This is especially important with the kind of malware that is dropped by exploit kits, and in particular ransomware.
Companies can literally be crippled by such malware, lose customers and in some cases put their business in jeopardy.
On top of drive-by download attacks exploiting flaws, businesses should be aware of the ever-present social engineering tactics where employees are tricked into downloading malware.
This is one of the reasons why a layered approach to security works best because some threats come from software flaws while others from humans.
Выберите язык