Security vendor Proofpoint warns in a new report that a “malvertising” campaign has been launching ransomware attacks against users of numerous high-profile websites, including search site Yahoo, dating site Match.com, and an AOL real estate site.
Proofpoint says it saw a surge earlier this month of malvertising exploits involving attackers serving real-looking advertisements that harbor malware on legitimate advertising networks.
“These types of malware infections are particularly effective because often the end user is not aware they have been infected,” says Mark James, an information security researcher at anti-virus firm ESET. “What would appear as an ordinary [legitimate] advertisement on a website can contain code that once the advertisement is clicked will infect your systems and could still deliver the advertised product.” Attackers often vary their attacks based on geography, which can make related malvertising campaigns difficult to spot, at least until the related levels of activity reach a “significant” level, Proofpoint says.
In the case of this criminal campaign, attackers’ malicious advertisements first targeted website users with the FlashPack Exploit Kit, which is designed to automatically exploit a number of known vulnerabilities in users’ browsers and browser plug-ins. If successful, the exploit kit then installed ransomware – malware that encrypts all data on a user’s PC and then demands a payment for the decryption key – called Cryptowall 2.0.
Tracking Cryptowall 2.0
The 2.0 version of Cryptowall was first spotted earlier this month by Finnish anti-virus firm F-Secure, which says the malware is using a custom component that allows it to communicate with command-and-control servers via the anonymizing Tor network, which helps disguise related infections. F-Secure says it first spotted criminals testing related tweaks to Cryptowall 1.0 this past summer, after which the changes were formally packaged up and released as Cryptowall 2.0. “We expect to see a lot more of Cryptowall 2.0 in the near future,” F-Secure trainee Artturi Lehtiö said in an Oct. 2 blog post.
That prediction soon came to pass. Proofpoint says it saw the malvertising campaign begin in late September. But related attacks didn’t spike until earlier this month, when they grew to expose approximately 3 million website users daily to related attacks.
Proofpoint says it contacted affected advertising networks, and by Oct. 18, they’d blocked the accounts that were being used to serve the malware. “The sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware – which in turn, was not due to an explicit compromise of the networks; rather, it was due to the networks accepting ads from a malicious source without [proper] screening,” Proofpoint says.
While AOL and Match.com didn’t immediately respond to a request for comment about the Proofpoint report, a Yahoo spokeswoman confirms that the company has taken measures to block such attacks. “As soon as we detected the incident, we promptly removed the advertising and have continued to monitor and block any advertising being used for this activity,” she says.
Meanwhile, attackers continue to use Cryptowall for other in-the-wild attacks. Firewall vendorPalo Alto Networks reports that since Sept. 30, it’s spotted 84 new Cryptowall 2.0 variants. These variants target consumers “primarily through e-mail attachments but also through malicious PDFs and Web exploit kits,” it says. Those malicious PDFs would target users via phishing attacks, meaning the malicious documents would arrive attached to fake but real-looking e-mails.
While attackers continue to develop and refine their ransomware, the exploit kits they’re using to install Cryptoware – and numerous other types of malware – on victims’ PCs likewise continue to evolve. That’s due in large part to market demand: Exploit kits are predicated on exploiting a user’s PC through any means available, and security experts say there’s fierce competition among exploit-kit authors in search of more paying subscribers for their crimeware.
One currently popular crimeware kit, for example, is the Fiesta exploit kit, which security researchers at Cisco describe as being “aggressive” because it includes the ability to exploit not only common Java vulnerabilities, but also bugs in Microsoft Silverlight. While Oracle and Microsoft have released related patches, many users and businesses fail to install those updates in a timely manner, thus leaving them vulnerable to exploit-kit attacks.
After vendors release a security update for a product to fix flaws, exploit kit authors typically reverse-engineer the fixes to identify the flaws, and then add the ability to exploit those vulnerabilities to their kit.
How quickly do exploit kits get updated to take advantage of the latest flaws? This week, the Fiesta exploit kit reportedly received an update that allows it to exploit a Flash flaw that was patched by Adobe only last week. The “weaponized” version of the Flash flaw – an integer-overflow bug that’s been designated CVE-2014-0569 – was discovered by the malware researcher “Kafeine,” who maintains the “Malware don’t need Coffee” blog. Kafeine reports that the competing Angler exploit kit may also now be able to exploit the flaw.
In other words, just one week – or less – elapsed between Adobe issuing a public warning as well as related update that fixes the flaw, and attackers integrating the vulnerability into an exploit kit. That short timeframe shows the challenges facing consumers and enterprises that must keep their browser plug-ins – especially Flash and Java – up to date, or face a nearly constant risk of being hacked.
“The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before,” security researcher Jérôme Segura, who works for anti-malware software firm Malwarebytes, says in a blog post. “This leaves end users with very little room for mistakes, such as failing to diligently apply security patches sooner rather than later.”
Follow Mathew J. Schwartz on Twitter: @euroinfosec