Written by: Aamir Lakhani, Fortinet.

In cybersecurity terminology, an exploit is a bit of code or a program that takes advantage of vulnerabilities or flaws in software or hardware. An exploit is not malware, but rather a way to deliver malware like ransomware or viruses. The goal of exploits is to install malware or to infiltrate and initiate denial-of-service (DoS) attacks for example.

Aamir Lakhani, Global Security strategist and researcher at Fortinet.

The recent exponential growth of computer peripherals, software advances, and edge and cloud computing has led to a corresponding increase in vulnerabilities. Of course, cybercriminals love having more systems to attack with exploit kits.

What is an Exploit Kit?

Exploit kits (EKs) are automated programs used by cybercriminals to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.

Examining How Exploit Kits Work

Exploit kits work silently and automatically as they seek to identify vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.

EKs do not require victims to download a file or attachment. The victim needs only browse on a compromised website and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.

The events that must occur for an exploit kit attack to be successful, include:

• Targeting a compromised website, which will discreetly divert web traffic to another landing page
• Running malware on a host, using a vulnerable application as the gateway
• Sending a payload to infect the host, when the exploit is successful

Examples of Exploit Kits

Below is a list of exploit kits that have been used by cybercriminals in the past:

Angler: In the mid-2010s, Angler was one of the most powerful and frequently used EKs that enabled zero-day attacks on Flash, Java, and Silverlight. According to The Register, “At its…peak, the authors [of the Angler] were responsible for a whopping 40% of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually.”

Blackhole: The origins of the Blackhole exploit kit go back to 2010. It was apparently the preferred tool by cybercriminals for running drive-by downloads for over three years until the 2013 arrest of its author. After finding a website that could be exploited, cybercriminals would plant the Blackhole exploit kit and expose visitors to Blackhole-powered attacks. Then the exploit kit downloaded malware (often ransomware) on the PCs of visitors by taking advantage of any browser, Java, or Adobe Flash plug-in vulnerability is found.

Fiesta: In 2014, the Fiesta exploit kit gained popularity after the decline of the Blackhole exploit kit due to its source code being leaked and its founder being arrested. Like earlier EKs, Fiesta worked by compromising a vulnerable website. After the website was compromised, visitors were redirected to the Fiesta landing page controlled by cybercriminals. Then different exploits based on the computer’s characteristics were downloaded.

Flashpack: The Flashpack exploit kit was also popular with cybercriminals in 2014 when there were campaigns that abused advertising networks. Flashpack EK was used to distribute various pieces of malware, including the information-stealing malware Zeus, the Dofoil Trojan, and the Cryptowall ransomware.

Researchers found that the Flashpack EK used free ads to distribute the threats. An example: when users accessed a website that served malicious ads (a.k.a. malvertising), they were brought by way of multiple redirects to a Flashpack exploit kit page that served up ransomware.

GrandSoft: The GrandSoft exploit kit was another malvertising-based threat that redirected unsuspecting users and installed password-stealing trojans, ransomware, and clipboard hijackers on their machines. In 2019, the GrandSoft EK was pushing the Ramnit banking trojan that attempted to steal victims’ saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more.

HanJuan: In 2015, the HanJuan exploit kit was popular and helped cybercriminals facilitate malvertising attacks. It used false ads and shortened URLs to trick users into landing on a webpage containing a HanJuan EK that targeted vulnerabilities in the Adobe Flash Player (CVE-2015-0359) and the Internet Explorer browser (CVE-2014-1776).

Hunter: Another exploit kit that was popular in 2015 with cybercriminals was the Hunter EK, which initially targeted Brazilians via a phishing email. When the victim’s machine was comprised, a variant of a Brazilian banking trojan generically known as “Bancos” launched. This was a Brazilian banking trojan that used man-in-the-browser (MITB) techniques to steal banking and other financial credentials.

Magnitude: The Magnitude exploit kit, like other EKs, is a framework hosted by malicious actors to target browser vulnerabilities particularly for Internet Explorer. Because the popularity of IE has changed, the Magnitude exploit kits that target Microsoft’s browser have been much less active. Still, as recently as 2019, cybercriminals were using Magnitude EK in specific geographic regions where IE owned a sizable part of the market like in South Korea.

In the fall of 2021, SecurityWeek reported the Magnitude EK is “active” after it “added to its arsenal exploits for CVE-2021-21224 and CVE-2021-31956.”

Neutrino: According to the Bank Info Security website, the Neutrino EK was “at one time [2016] ranked as one of the world’s most popular exploit kits. Also known as exploit packs, these tools enable anyone – no coding experience required – to run large-scale campaigns designed to infect massive quantities of PCs with malware, turning them into ‘zombie’ nodes in a botnet.”

Nuclear: The Nuclear exploit kit was another cybercriminal favorite in the mid-2010s. According to an April 2016 Ars Technica article, Nuclear EK had “a sophisticated multi-tier server architecture, with a single master server providing automatic updates to ‘console’ servers—the systems used by paying customers to access and customize their particular paid attack packages. Those console servers, in turn, manage a rotating stock of landing pages served up through malicious links, exploited web pages, and malicious advertisements.”

RIG: In a November 2016 article on the ThreatPost website, the author says that at that time the “most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino, and Nuclear.” The post goes on to outline the “unique” way “the RIG exploit kit combines different web technologies such as DoSWF, JavaScript, Flash, and VBscript to obfuscate attacks.” Threat researchers add that “a RIG attack is a three-pronged attack strategy that leverages either a JavaScript, Flash, VBscript-based attacks as needed.”

Sundown: At the end of 2016, SecurityWeek ran a piece on its website about the Sundown exploit kit that used “a technique called steganography to hide its exploits in harmless-looking image files.” The practice of hiding information within a file become at this time “increasingly used by malicious actors, including malvertising campaigns.”

Analysis of Sundown EK forays revealed that attackers used PNG images to disguise various exploits, including ones targeting Internet Explorer and Flash Player vulnerabilities.

Sweet Orange: Sweet Orange exploit kit was also popular with criminals in the mid-2010s. It targeted the Windows operating systems Windows 8.1 and Windows 7 as well as web browsers Internet Explorer, Firefox, and Google Chrome. Sweet Orange EK’s authors tried to prevent the security community from getting access to the source code of the kit. They did this by limiting messages posted on invite-only cybercrime-friendly web communities and selling the kit to only those with a cybercrime reputation.

More to the Story

Today older kits have been leaked and are publicly available. Attackers have been taking these older kits and modifying them making them more resilient to newer security detection strategies. Also, many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.

What should you do?

Protect Your Endpoints: Advanced, automated endpoint protection, detection, and response.

Web Security: Protection against web threats hidden in encrypted or non-encrypted traffic.

Internal Segmentation: Segment network and infrastructure assets regardless of their location whether on-premises or on multiple clouds.

Zero Trust Access: As users continue to work from anywhere and IoT devices flood networks and operational environments, continuous verification of all users and devices as they access corporate applications and data is needed.

The post The Definition and Examples of Exploit Kits appeared first on The Integrator.

Mozi is a DDoS-focused botnet that utilizes a large set of Remote Code Executions (RCEs) to leverage CVEs in IoT devices for infection. These IoT devices include readily available and commonly used DVRs and network gateways. Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Mozi was first identified in 2019 and has been evolving and increasing in size ever since. It can now persist on network devices by infiltrating the device’s file system, remaining functional even after the device has been rebooted. During the first half of 2021, Mozi topped out at over 360,000 unique systems using more than 285,000 unique source IP addresses, likely due to address translation.

Amr Alashaal, Regional Vice President – Middle East at A10 Networks

In order to protect their networks and resources, organizations need to take the following steps to block systems infected by Mozi and the malicious traffic generated by them:

Never Trust, Always Verify: Incorporate the Zero Trust model and its key principles into your security strategy. Create micro-perimeters within your networks. Limit access to your resources and invest in modern, AI/ML-based solutions. Ensure visibility into not only the endpoints and network nodes, but also into users, their activities, and workflows.

Investigate Whether You are Already Infected: The initial infection of Mozi comes in the form of RCEs sent using ports 80, 8080, 8443, etc. This can make initial infections stand out, which can help in tracking them with low false positives. If your network devices suddenly start generating abnormal amounts of TCP or UDP traffic, immediately isolate suspicious devices and limit the traffic originating from them. If this is not possible, then apply global rate limiting on all traffic until you track the source.

Observe and Block Commonly Exploited Ports: Incorporate the Zero Trust Closely monitor any traffic using TCP ports 60001, 37215, 5555, 52869, 49152, both before or after a suspected infection. While these aren’t the only ports Mozi uses, they may help find the needle in the haystack. As a general good practice, monitor and block sources that send TCP SYNs to ports 23 and 2323 as most malware use Telnet to initiate IoT device infections.

Take a Closer Look at the Payloads: If your network devices are generating large amounts of traffic, look at the payloads (i.e., the HTTP POST as shown on page 13). RegEx can be used to filter these malicious traffic requests out and block them before they infect other devices.

Block BitTorrent: Since BitTorrent is one of the most common peer-to-peer networks used by Mozi for Command and Control (C2) communications, any BitTorrent traffic coming into or going out of the network should be blocked. The sheer amount of BitTorrent traffic could be a dead giveaway of infection depending on your customer type.

Ensure Your Security is up to Date: Make sure your security infrastructure is updated regularly and that your IoT devices are running the latest version of firmware with all the necessary security patches applied. Keep track of CVEs for your network devices and seek out help if there are any patches available. If fixes are not readily available, take appropriate action based on the particular CVEs.

Employ or Review DDoS Baselining and AI/ML Techniques: Using modern DDoS techniques like baselining to see anomalous behavior versus historical norms, and AI/ML techniques, for detection and zero-day attack prevention, can be a force multiplier for your security team as manual tasks can be discovered and dealt with efficiently and 24×7.

The post Tips to Protect Enterprise Networks and Resources Against Mozi appeared first on The Integrator.

Among the victims are governments in Southeast Asia and dozens of companies belonging to various industries located mostly in Canada, Vietnam and India, but also in the US, New Zealand, South Korea and other countries.

Today, ESET Research is publishing the white paper “Anatomy of native IIS malware” and launching a series of blogposts on the most notable of the newly discovered threats: IIStealer, IISpy and IISerpent. These will be published on WeLiveSecurity starting today and following through to August 11, 2021. The findings of ESET’s IIS malware research were first presented at Black Hat USA 2021 and will also be shared with the community at the Virus Bulletin 2021 conference on October 8, 2021.

IIS malware is a diverse class of threats used for cybercrime, cyberespionage and SEO fraud — but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests. “Internet Information Services web servers have been targeted by various malicious actors, for cybercrime and cyberespionage alike. The software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers,” says ESET researcher Zuzana Hromcová, author of the paper.

ESET has identified five main modes in which IIS malware operates:

• IIS backdoorsallow their operators to remotely control the compromised computer with IIS installed.
• IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors and steal information such as login credentials and payment information.
• IIS injectorsmodify HTTP responses sent to legitimate visitors to serve malicious content.
• IIS proxiesturn the compromised server into an unwitting part of the command and control infrastructure for another malware family.
• SEO fraud IIS malwaremodifies the content served to search engines to manipulate SERP algorithms and boost the ranking for other websites of interest to the attackers.

“It is still quite rare for security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information. Organizations that use Outlook on the web should also pay attention, as it depends on IIS and could be an interesting target for espionage,” explains Hromcová.

ESET Research offers several recommendations that can help mitigate against IIS malware attacks. These include using unique, strong passwords and multifactor authentication for the administration of IIS servers; keeping the operating system up to date; using a web application firewall and endpoint security solution for the server; and regularly checking the IIS server configuration to verify that all installed extensions are legitimate.

The post ESET Research discovers new IIS web server threats eavesdropping on governments and targeting e-commerce transactions appeared first on The Integrator.

Where traditional channel schemes reward – and penalise – partners based on revenue, Malwarebytes is incentivising its reseller and distributor network based on the exposure and opportunity reach they provide for the security company. Partners can attain gold and platinum levels based on numbers of deal registrations rather than revenue, certification programs or complex points based programs.

Over the last few years, headline-grabbing online security incidents have escalated in both severity and regularity. The potential implications of a security breach are severe and can range from damaged business reputation through to company devaluation. As the average cost of a data breach increases, information security is now a board-level issue. As a result, there is a huge market opportunity for channel organisations. By providing support and positive incentives, Malwarebytes is offering the reseller community the tools they need to reap the benefits.

“As a company, Malwarebytes has always been innovative and we’re carrying that ethos through to our partner programme,” explains Anthony O’Mara, EMEA Vice-President, Malwarebytes. “Vendors often make partners jump through far too many hoops, wanting arbitrary criteria to be met, often dictating to resellers how to run their business. We’re not doing any of that. We know our partners run successful businesses. So we’ve designed our programme to be flexible, forward-looking and mutually beneficial.
We want our channel to feel part of a mutually beneficial partnership where both parties are invested in driving growth together.”

The programme is available for all reseller partners across EMEA.

The post Malwarebytes launches EMEA Channel Programme appeared first on The Integrator.

According to the report, trojans, worms, infectors and exploits have shown constant detection rates during all the months of Q2. The combined figure of Adware and PUA category detection is 28% on an average. Ransomware detection has declined by a tiny margin in June when compared with May but is on a rise as compared to Q1 2016.

As observed in the detection statistics of Q2 2016, adware remains one of the major malware categories. The dominance of the ransomware family showed no respite even in this quarter. Locky Ransomware continued to maintain its dominance by encrypting files on the infected system and adding the “.locky” extension to them. Due to a lack of decryption possibility, Locky was considered as one of the most dangerous ransomware in this quarter.

Sharing an insight into the report, Sanjay Katkar, MD & CTO, Quick Heal Technologies Limited said; “We consider creating awareness around IT and cyber security as our prime responsibility and therefore, we have been releasing threat reports periodically.” He further added; “At Quick Heal, our teams constantly monitor the threat landscape and develop solutions to counter these threats. Our Threat Reports are an attempt towards building safe and secure IT environments and online experiences. We are constantly innovating to equip our consumers and enterprises to monitor and prevent these threats and safeguard their critical data.”

Among trends and predictions detailed, PUA and Adware are suspected to be laced with destructive functionalities including damaging or crashing boot sector records of infected computers. Additionally, adware is most likely to be used for delivering ransomware into the targeted systems.

Ransomware variants will keep rising in the coming quarter as well. The cryptxxx ransomware is suspected to hit its targets with new and more advanced variants. Locky ransomware is expected to remain complicated because of its continuously changing internal coding and obfuscation techniques.

Ransomware-as-a-service (RaaS) is another trend which is taking momentum. In RaaS, malware authors sell ransomware along with a customizable kit through the online black market. Interested people can register and download them for free or a nominal fee. Once the ransomware file is customized as per the requirement, it is then spread through the desired infection vectors.

Malware attacks on social networking sites are likely to increase in the near future. By 2018, it is estimated that there will be about 2.55 billion users on social network. With such a sheer volume of user interaction, such sites are only easy targets for online scammers and cyber criminals.

Banking malware is going to be a concern in the coming days for security experts and more importantly users of mobile Internet banking. With almost all banks developing dedicated apps for banking, hackers are going to leverage this as a lucrative opportunity to trick users and generate illegitimate cash to further fuel their nefarious intentions.

The post Quick Heal predicts rise in Banking Malware and attacks on social networking sites appeared first on The Integrator.

Smartphones are packed with connected features, with high-definition cameras and GPS location almost universally standard. They can also be used to turn a mobile phone into a spy device, able to take and record photographs, location data, and even map inside a home or workplace, without the user’s knowledge or permission. This risk is something that Four’s latest offering, the K500 smartphone, is specifically designed to guard against by completely removing the camera and GPS.

“There is a very real concern that your mobile phone could be hijacked by malware, photographing you, friends and family, spying inside the home or workplace,” said Four’s founder and CEO, Faisal Al Bannai. “This can happen by downloading a seemingly innocent app onto the phone, but within the app are a series of permissions, allowing access to cameras, GPS location and so on, that transform the camera into a spy device. The app is the so-called Trojan horse that installs surveillance software onto the device, and brings intruders into your private environment.”

A significant concern would be ‘peeping Tom’ malware, allowing hackers to collect personal images, via the device’s camera. Combined with GPS, images can become a become a real threat to personal safety and privacy.

Easy-to-create malware can be dangerously effective in collecting information. In 2012, the US Naval Surface Warfare Centre ran an experiment to find out how much information it could harvest via a relatively simple custom-made smartphone app. Called PlaceRaider, the app took random, high-resolution images at regular intervals, using GPS and motion sensors to record the time, location and orientation of each image, and uploaded the pictures onto a central server. By analyzing the images and accompanying data, the research team was able to produce 3D renderings of building interiors, identifying precisely where valuable items could be found. The researchers noted that an app such as this could allow thieves to identify targets, and break into homes already knowing exactly where to find your valuables.

With such intrusive malware so simple to create and distribute, the most effective means of protection is to ensure the devices the malware exploits do not enter secure environments. The Four K500 helps achieve this by omitting features that malware depends upon – camera and GPS – while otherwise being a full-featured smartphone.

“The K500 is tailored towards organizations that wish to absolutely eliminate the risk of being spied upon,” said Al Bannai. “There is no camera, and there is no GPS, which are the two key features that allow spyware to record a physical environment. Some workplaces are requiring such devices for reasons of site security, but we believe they can also play an important role in personal safety, and can be of great value to parents concerned about the safety of their children.”

As a brand focused on value, Four tailors its products to offer a carefully planned selection of popular features at a reasonable price, and the K500 is no different. With the exception of camera and GPS, it is a fully connected smartphone, with features including a quad-core processor, 3G connectivity, the latest Android 5.1 Lollipop operating system, 1GB RAM, 8GB memory, and 1900 mAh battery. It comes with two screen protectors and a free flip cover inside the box, along with a one-year warranty from axiom Telecom.

And it is priced at just AED 299.

“The Four K500 is designed to fill a very specific need in the market, but it still includes essential features that customers value,” Al Bannai. “And it has a very important additional feature – the confidence that your privacy is protected.”

The post UAE-born Mobile Brand ‘Four’ introduces K500; a full-spec Smartphone, without Camera or GPS appeared first on The Integrator.