This week we learned of a concerted cybercriminal effort to subvert the Yahoo ad network, which could have affected the 6.9 billion monthly visitors to their site. The threat actors behind this attack utilized a few threats we’ve seen recently, such as malvertisements and exploit kits.
Malvertisements are malicious ads designed and placed by cybercriminals to affect users who visit the sites where the ads are hosted, effectively subverting the advertising supply chain. In this case, criminals used sites for Microsoft Azure, which is likely to attract a high number of users, increasing the volume of potential targets. This technique is seen often; threat actors taking advantage of high visibility topics and compromising associated sites. The actors also affected the Yahoo ad network, one of the largest ad networks in the world, likely assuring them of a high infection rate. Malvertisements also work in ways that allow the infection to occur regardless of users clicking on a malicious ad. This allows the attackers to infect unsuspecting users with no interaction other than connecting to the affected webpages.
Exploit kits are being used more frequently by the threat actors as they are easy to source and are not very expensive to obtain. In this particular attack, the Angler exploit kit was used to infect victims who browsed the compromised webpages. The authors of these exploit kits are adding new vulnerabilities very quickly after they are divulged. As you can see below, many of the new Adobe Flash vulnerabilities disclosed this year were added to the Angler exploit kit.
In particular, CVE-2015-0313 was found being exploited in a very similar attack earlier this year. Attackers leveraged this exploit kit using malvertisements set up on a compromised website.
Another trend in threat actors is the arrangement of malicious chains to ensure maximum infection rates by employing several key tactics:
My advice to users who may be concerned about this attack, or any future attacks using these methods, is to implement a layered security approach that includes the following:
Today’s threats are multifaceted and as such any one piece of technology, like antimalware, is not sufficient to fully protect you. Implementing a multi-layered approach helps minimize your risk of becoming the next victim, whether that means multiple technologies supported within an endpoint security solution or adding multiple security solutions across your network.
While this is not a new threat, it does allow us to be reminded that threat actors will use what works and use tactics specifically designed to improve their infection rates. Trend Micro will continue to improve our protection capabilities to ensure our customers have minimal risk of infection.
Please add your thoughts in the comments below or follow me on Twitter; @jonlclay.