While the cyber security industry noticed a reduction in exploit kit attacks during 2016 as well as early into 2017, these are still veritable threats that organizations must be aware of. Exploit kits typically follow a four-stage attack scenario, resulting in dangerous infections such as ransomware, Trojans and other malware.
The decline in exploit kit usage among hackers took an interesting turn recently with the resurgence of an older kit used to attack Windows system vulnerabilities. With this renewed attention on exploit kit attacks, now is the time for enterprises to shore up their protections and ensure overall security.
Attention on Astrum
According to Trend Micro Fraud Researcher Joseph C. Chen, a powerful exploit kit known as Astrum, or Stegano, recently made its way back into the cyber attack limelight. What's more, due to the recent activity surrounding exploit kits – which we'll delve more into later – Astrum could be the infection strategy that fills the current vacuum in this attack landscape.
Researchers first spotted Astrum in late 2014, when it was used to target vulnerabilities in Adobe Flash, Microsoft Silverlight and, briefly, Java, cyber attack researcher and Trend Micro colleague Kafeine reported. Chen noted that during peak usage, Astrum was mainly leveraged by the AdGholas malvertising campaign, which spread an array of malicious infections, including banking Trojans.
Astrum is particularly dangerous due to its encrypted payload. The kit leverages a secret key for encryption, which not only harms the victim's system, but has recently been used to prevent researchers from replaying malicious attack traffic. This makes the infection harder to spot, and also puts a serious wrinkle in efforts to prevent attacks and create a better proactive solution.
A lull in exploit kits: A look at the current landscape
As noted, Astrum's reappearance marks yet another interesting shift in the overall exploit kit landscape. While exploit kit attacks were taking place heavily during 2015 and the first half of 2016, the latter half of last year saw a significant change. Not only had well-known kits like Angler suddenly fallen off the map, there were no exploit kit attacks at all during the later quarters of 2016.
"Exploit kits claimed responsibility for a total of 27 million detected attacks in 2015."
At their height, exploit kits claimed responsibility for a total of 27 million detected attacks in 2015, where only a third of this level – 8.8 million – were identified by researchers last year.
One of the main reasons behind this shift is the rising efforts of law enforcement to cease exploit kit and other malicious activity. According to Trend Micro Technical Communications Researcher Giannina Escueta, law enforcement has proven to be one of the most powerful forces in the disruption of exploit kits.
After Russian authorities captured the author of the BlackHole exploit kit in 2013, Angler was established to fill the void. Angler topped the list for malicious exploit kits in 2015, with researchers noting that more than half of all attacks that year – 57.25 percent – could be traced back to the Angler kit.
Escueta noted the landscape saw a similar shift last year with widespread arrests by Russian authorities. After this event, recorded instances of Angler attacks dropped significantly. By 2016, exploit kit-dependent zero-day attacks dropped considerably, even with preferred targets like Internet Explorer and Java.
"Currently, most kits rely on outdated exploits, which translates to lower success rates," Escueta wrote in early 2017. "Although there is a lack of potent zero-days and slower integration of new vulnerabilities, exploit kits still remain a threat."
After an initial surge in 2014, Astrum activity was pretty quiet in recent years, especially as advanced, alternative kits like Angler, Nuclear and Rig became favored in the cyber attack community. However, as Chen pointed out, this doesn't mean that Astrum – or exploit kits in general – "are throwing in the towel."
In fact, it appears the opposite is true. Astrum was again identified by security researcher Kafeine on March 23, 2017, and was used to target a Windows vulnerability that had been patched a mere nine days earlier. That attack enabled cyber criminals to determine the specific antivirus protections being used, enabling them to improve Astrum to avoid these safeguards.
Astrum resurfaced again toward the end of April 2017, and did so with a purpose. Changes were made to this new version of the exploit kit, preventing security researchers from replaying malicious traffic.
"We found that this anti-replay feature was designed to abuse the Diffie-Hellman key exchange – a widely used algorithm for encrypting and securing network protocols," Chen wrote. "Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult."
Laying the foundation: A need for enhanced protection
Although Astrum has only been observed a few times recently, this does not mean enterprises should be lax with their knowledge of and protection against exploit kit attacks. In fact, Chen predicted these initial Astrum attacks are likely the beginning of something bigger, and could represent test runs for future, more dangerous attacks.
In this way, enterprises must be especially vigilant when it comes to their cyber security. Exploit kits, and Astrum in particular, can result in an array of negative consequences for a business, including damage to the brand's reputation and high expenses related to extended downtime.
Thankfully, there are a few things companies can do to strengthen their security posture in this area. The first step is simply awareness – by being well-informed about the current exploit kit landscape, those in charge of the business's security are in a better position to identify and mitigate an attack.
It's also imperative that all identified system vulnerabilities are patched as soon as possible. As researchers observed with recent Astrum attacks, many hinge upon weaknesses that already have patches available. Regular updates can help keep exploit kits like Astrum at bay.
While it can be difficult to keep up with continuous updates, virtual patching is a helpful strategy to fill the gap. Virtual patching is a beneficial way to offset the time it takes to fully patch a system, keeping infrastructure and the enterprise safeguarded in the meantime.
To find out more about safeguarding your organization against exploit kit attacks, contact the experts at Trend Micro today.