In the past few weeks we’ve noticed a problematic pattern developing: the increasing use of exploit kits in malvertising. In particular, zero-day exploits (usually seen first in targeted attacks) are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises or other large organizations.
This is a worrying trend, as it means that more users could be affected by these threats before a patch becomes available. Two of the recent Adobe Flash zero-days (CVE-2015-0311 and CVE-2015-0313) were delivered to end users via malvertisements, putting large numbers of users at risk.
We recently released a paper titled The Evolution of Exploit Kits which discusses the threat from exploit kits. This paper continues our previous discussion and outlines the existing threat from these today, which are a key tool in the arsenal of attackers today. We also partially delve into the history of exploit kits, including the notorious Blackhole exploit kit, which collapsed with the arrest of its author in late 2013.
Some patterns in the attacks from 2014 are expected to continue into 2015, such as:
- Increasing targeting of Flash vulnerabilities for exploitation. Previously, Java and Acrobat/Reader vulnerabilities were some of the most frequently targeted by exploit kits.
- We saw fewer exploit kit “brands” in use in 2014. This was in contrast to previous years, where the number of exploit kit “brands” was growing. However, the kits that are currently being actively developed are becoming more sophisticated, with increasing use of evasion techniques.
Figure 1. Number of exploit kits in use
What can users and enterprises do to protect themselves against these threats? The most important defense against an exploit kit is to keep installed versions of software as up-to-date. While zero-days are seeing more usage in exploit kits, older vulnerabilities that have already been patched are still widely used. By keeping their software updated, end users can mitigate much of the risk associated with these risks.
Security products can also help mitigate the risks. Products with smart sandboxes can be used to help find and detect malicious behavior, including zero-day exploits. In addition, products that use web and file reputation detection can also block the redirection chain and detect payloads.