Until recently, Blackhole was the most prominent exploit kit on the market, providing an all-in-one solution for carrying out Web attacks. Cybercriminals could rent it for only $50 per day or $1,500 annually and use it to take advantage of unpatched vulnerabilities on websites. With updates pushed out as often as twice per day, Blackhole was a moving target that often sidestepped security measures and succeeded in compromising numerous domains, turning them into traps for visitors.
Blackhole’s scope was impressive. By 2011, only a year after its entry on the scene, it was responsible for more than 90 percent of new infections documented by AVG, and it still accounted for more than half of similar incidents in 2012. More specifically, Trend Micro’s research indicated that most of these infections were the result of massive spam campaigns that spoofed communications from major outfits such as AT&T and Citibank.
But Blackhole is waning, following the arrest of its creator in Russia late last year. While the kit’s demise is certainly welcome news, it isn’t clear what, if anything, will fill the void that it leaves behind. Blackhole was the easiest way to automate cybercrime campaigns, and it may take years for a comparable tool to emerge.
In the meantime, the security community may need to adjust to a rise in old-school attacks that use more rudimentary, but often effective, tactics, or which rely on a new generation of exploit kits. For example, the recent malware campaign that was spread through Yahoo’s ad servers and designed to turn PCs into Bitcoin miners made use of the increasingly popular Magnitude exploit kit.
Similar kits have shown up, and attackers can still resort to simple social engineering campaigns, which are surprisingly effective. In 2011, the U.S. Department of Homeland Security conducted an exercise in which it planted infected USB drives in contractors cars, finding that 60 percent of them plugged the devices into their work computers.
With the threat landscape fragmenting in the wake of Blackhole, security professionals will need to stay on top of a wider range of threats. Although none of the new kits or tactics may be as effective as Blackhole on their own, taken together they still pose danger to Web safety, and it will be critical to keep tabs on threats such as CryptoLocker that have tried to fill the void.
The aftermath of the Blackhole exploit kit’s demise
Blackhole was effective because it automated a wide range of attacks, allowing cybercriminals to go after banking websites and take advantage of zero-day flaws right away. It made spam much more effective than it would have been otherwise, allowing for innocuous-looking URL insertions that have higher click-thru rates than ZIP attachments.
Following the arrest of its creator in 2013, however, botnets such as Cutwail that relied heavily on Blackhole quickly saw a drop-off in URL and attachment spam distribution. In lieu of daily updates, Blackhole receded from view, and cybercriminals have been looking for a replacement that has the same infrastructure and efficacy ever since, mostly in vain.
But even though they haven’t found a tool that perfectly replicates Blackhole’s scope and agility, this doesn’t mean that attacks have become less damaging. On the contrary, cybercriminals have been exploring malware that generates more return on investment per victim, or taps into alternative revenue streams such as Bitcoin mining.
“Another possibility is that these criminal gangs are waiting for these kits to get enough momentum so that they can count on it,” stated Websense security research director Alex Watson, according to Threatpost. “And in the meantime, they’ve been investing in other elements of attacks whether it be different types of malware like ransomware variants such as Cryptolocker where you wouldn’t have to have as many versions installed to get quite a bit of revenue coming in for these gangs.”
Ransomware is a classic malware category, but CryptoLocker has made it into a real money maker by leveraging encryption and a countdown timer to force users to pay, lest they lose their files forever. Exploit kits such as Magnitude were part of the payload of the Yahoo ad malware, injecting the ZeuS Trojan as well as software that enslaved the compromised PC’s CPU and GPU into a Bitcoin mining network.
The distinctive traits of CryptoLocker and the Yahoo exploit points the way to attacks that may combine age-old tactics such as malicious advertisements and encryption with at-scale distribution mechanisms. Some researchers have already predicted the re-emergence of as-a-service malware delivery via malware kits and URLs, underscoring how Blackhole was just a means to an end, albeit a uniquely effective one.
What’s next for exploit kits and spam?
Without Blackhole in their back pockets, cybercriminals will have to do more grunt work to infect PCs. While Magnitude is emerging as a possible successor, its business model isn’t there yet, with neither the pricing structure nor the adoption rate to make it the next Blackhole. The next wave of spam and cyberattacks may be less homogenous, but still worth taking seriously.
Rather than conducting a single spam campaign supported by Blackhole, attackers may instead try to implant multiple infections on the same machine. This why CrytoLocker and the Yahoo exploit are important, as they represent innovations in creating spreadable, financially lucrative malware that could recoup some of the losses incurred by the demise of Blackhole.
While cybercriminals try to get their bearings in a post-Blackhole world, organizations should seize the opportunity to learn from previous attacks and harden their defenses. Employees should be educated about screening email and staying away from spoofed domains. Moreover, since the modus operandi of Blackhole was to exploit unpatched vulnerabilities and outdated implementations, organizations have yet another reason to update Java and other frameworks.
At the same time, it’s worth devoting more attention to securing Linux servers, which account for most of the compromised Web infrastructure used by exploit kits. Firewalls, antivirus software, diligent patching and security services will all be key to security the Web from exploit kits.