Malvertising, weaponized documents continue to threaten networks

How to be prepared for a browser-based attack

tripbox malvertising 2
The Media Trust

When a catastrophic attack hits, companies either have to start over or pay the ransom, as we've seen far too often in the headlines.

"One of the first things anybody needs to do is create a backup of their system. They need a backup system for long term storage of the data that they love," said Invincea’s director of security analytics, Pat Belcher.  "You’d be surprised at how many veterans ignore this as well."

Belcher offered an overview of what Invincea has identified as the most advanced endpoint threat trends of browser-based attacks along with some suggestions for prevention, detection, and response.

  • Malvertising: While well known and not new, these types of attacks remain a widespread problem, Belcher said, "We tracked 220,000 instances in the last six months. There are lots of known signatures to detect most of the common exploit kits, and most of the malvertising will contain code and is delivered through flash vulnerabilities. They are easier to detect through the URL as well as any connections to different top-level domains, .biz, .win .tot.  "Domains that you wouldn’t expect any of your in points on your network to go to," said Belcher. Most of these domains are set up and torn down within 24 hours.
  • Watering-hole: A threat that works very much like malvertising, but it is more indiscriminate. Only a certain class of individuals would expect to see an exploit landing site under the control of a malicious actor.  "For instance, if I wanted to target bankers, I would go to a site where only bankers go to trade stock tips," said Belcher. There are only 30 to 40 people that use this website, so it's very targeted to what the threat actor is after.  "We usually see these types of attacks coming from Chinese dissidents," Belcher said..  
  • Browser exploits that use Just-in-Time malware assembly on victims' machines: "This is primarily our description of how all the other types of attacks are working today," said Belcher. No specific single binary is downloaded at once. They use Java and are able to drop one piece of a file, then use the Windows system itself to download other pieces of the file, Belcher explained. Windows utility will then stitch them all together.  
  • Weaponized documents:  According to Belcher, these have been the top internet threats for over six months now. An enterprise is six times more likely to be targeted by weaponized documents. These have become the primary way that bad guys are delivering malware. Bad actors pay for the hosting and run the ads, so anybody can set up a spam run. We’ve seen these attachments typically drop Trojan banking, and we've recently seen tactics begin to change more towards root kits.  
  • Root kits:  Some are so big that antivirus won’t even bother to look at them. These are easily accessible and affordable for criminals, and they can drop anything or nothing. If it drops nothing it can scour the local drive for documents, and most security professionals wouldn’t recognize that they are being attacked. 

A lot of times most of the browser-based attacks, said Belcher, are silent so that the person won’t know that they’ve been attacked. "Once they’ve breached the browser, they access things in the background and change login credentials often enough to go unnoticed," Belcher said.

Because these attacks are so hard to detect, defending against them is ever-more challenging. Some organizations rely on proxies to block known bad or unknown websites. "They use URL filtering to recognize malicious patterns, firewalls, DNS black holing (DNSBL)," said Belcher, but those are only partially reliable. 

A lot of the malware is invisible and silent, and it can take several days or several months to detect them. While many advanced organizations use tools like full packet capture, these are very expensive solutions.

"The best you could hope for is a malware intrusion that is broken and does nothing," said Belcher. In many cases, though, hope is not enough. When users mistakenly invite these threats into their computers at the end point, the malware compromises the user, and then the end point is used for a breach. Belcher said, "Once they are in, they can move all the way across networks using tactics and techniques that allow them to move laterally."

Unless security teams are aggressive about having the right control systems in place and having an advance malware detection on the end point to prevent every form of browser-based attacks, these threats will continue to put enterprise security at risk.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)