Exploit kit activity may be at a fraction of the level of 2016 when peak activity was reached, but the threat has not gone away. In fact, the mid-year cybersecurity roundup from Trend Micro shows exploit kit activity is now triple the level of mid-2018. Websites hosting exploit kits still pose a significant threat to businesses.
Exploit kits are toolkits that contain exploits for vulnerabilities in popular software applications, such as Internet Explorer and Adobe Flash Player. When a user lands on a web page that hosts an exploit kit, it will scan the user’s browser for vulnerabilities. If an exploitable flaw is identified, malware is automatically downloaded and executed on the user’s device. In many cases, the downloading of a Trojan, ransomware, or other form of malware is not identified by the user.
Traffic is sent to exploit kits through malvertising – malicious advert – on high traffic websites. User’s can be directed to malicious websites through phishing emails, and it is also common for hackers to hijack high traffic websites and use them to host their exploit kit. That means users could visit a malicious website just through general web browsing.
There are several exploit kits currently in use such as Magnitude, Underminer, Fallout, Green Flash/Sundown, Rig, GrandSoft, and Lord. These exploit kits are pushing cryptocurrency miners and botnet loaders, although ransomware and banking Trojans are the most common payloads.
Many of the exploits used by these toolkits are for old vulnerabilities, but since businesses are often slow to apply patches, they still pose a major threat. Exploit kits such as GrandSoft and Rig are regularly updated and now host exploits for much more recently disclosed vulnerabilities.
One of the most recently identified campaigns has seen the threat actors behind Nemty ransomware team up with the operators of RIG to push their ransomware on businesses still using old, vulnerable versions of Internet Explorer.
A new exploit kit named Lord is being used to infect users with Eris ransomware. In this case, traffic is being directed to the exploit kit through malvertising on the PopCash ad network. The EK primarily uses exploits for flaws in Adobe Flash Player such as CVE-2018-15982.
Protecting against exploit kits is straightforward on paper. Businesses need to ensure that vulnerabilities are identified and patched promptly. If there are no vulnerabilities to exploit, no malware can be downloaded. Unfortunately, in practice things are not quite so simple. Many businesses are slow to patch or fail to apply patches on all devices in use.
Anti-spam software can help to reduce risk by blocking phishing emails containing links to exploit kits, but most of the traffic comes from search engines and malvertising, which anti-spam software will do nothing to block. To improve your defenses against exploit kits, drive-by downloads, and phishing websites, one of the best cybersecurity solutions to deploy is a DNS filtering solution.
A DNS filter allows businesses to carefully control the websites that employees can access when connected to the business’s wired and wireless networks. Controls can be set to block different types of web content such as gambling, gaming, and adult websites but crucially, the DNS filter also blocks all known malicious websites. DNS filters use blacklists of known malicious websites such as those hosting exploit kits or phishing forms. If a web site or web page is included in the blacklist, it will automatically be blocked. Websites are also scanned in real time to identify malicious content.
Since all filtering takes place at the DNS level, access to malicious or undesirable content is blocked without any content being downloaded. Setting up the solution is also quick and easy, as it only requires a change to the DNS record to point it to the service provider. No hardware is required and there is no need to download any software.
If you want to improve your defenses against malware, ransomware, botnets, and phishing and are not yet controlling the web content that your employees can access, contact TitanHQ today and ask about WebTitan. Alternatively, sign up for a free trial of the solution by clicking the image below.