Exploit Kits (EKs) are malicious code embedded in a website. They are commercially available and many are easy to use (even by those cybercriminals with little coding experience). They contain pre-packaged code that seeks to exploit out-of-date browsers, insecure applications, or vulnerable services.
They are used in ‘Drive-by Download’ attacks that target the visitors of a website. When a visitor browses to a site hosting an EK, the Kit uses all of its exploits to attempt to compromise the visitor’s system and install malware, including ransomware. Cybercriminals constantly update their malware to evade detection. Palo Alto Networks’ threat research team recently documented over 90,000 websites compromised by the continuously evolving Angler EK.
Unfortunately, the presence of these Kits is undetectable by most users. They can reside on a legitimate site that has been compromised, or on a malicious site masquerading as a legitimate website. EKs have been around for several years, yet continue to be a tool of choice for cybercriminals because end-users continue to run vulnerable software.
How AlienVault Helps
There are three absolutes in life: Death, Taxes, and End-Users’ Systems Being Owned. We can’t help with death and taxes, but we can help with detecting system compromise. You can’t rely on endpoint protection systems to prevent system compromise, because there will always be bad actors looking to exploit your users’ vulnerable systems.
You need the ability to detect indicators of compromise (IoCs) in your network quickly, to be able to minimize the damage that compromised systems can cause. To this end, the LevelBlue Labs team continues to research and update the ability of the USM platform to detect new EKs, or new variations on existing Kits.
The Labs team recently updated the USM platform’s ability to detect EK activity by adding IDS signatures to detect the malicious traffic on your network and correlation directives to link events from across your network that indicate systems compromised by this type of malware.
These updates are included in the latest AlienVault Threat Intelligence update available now:
- Updated Detection Technique - Exploit Kits
Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection.
We added IDS signatures and updated correlation rules to enhance exploit kit detection:
- Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
- Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
For more information on recent Angler EK activity, visit the AlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed:
https://otx.alienvault.com/browse/pulses/?q=Angler%20EK&sort=-created
