The security/cryptography industry has recently taken a battering. Hot on the heels of the KRACK WiFi network vulnerability comes an even bigger, more calamitous and more widespread hazard – the ROCA hack has exposed millions of smartcards, laptops, devices and secure systems to potential criminal activity.

Infineon Technologies AG is a multi-billion dollar, 18-year old German chipmaker that was originally part of Siemens, with 36,000 employees in 166 locations in over 25 countries. It claims to be “the leading provider of security solutions with robust, future-proof embedded security hardware”.

Infineon developed an encryption code library around 2012 that is compliant with recognized global security certification standards, yet it contains a deadly flaw. The fault means that many of the public cryptography keys it generates can be decomposed relatively easily to reveal the corresponding private key. That means that all of its keys are suspect and would not stand up in a court of law as proof that a named party digitally signed a document, or a piece of software, or government identity cards (e.g. Slovakia, Estonia). It also means that criminals could impersonate the true signatory. Hackers could inject malicious code into genuine software products and distribute them as though they were authenticated and digitally signed by the manufacturer.

Infineon did not perform adequate due diligence QA on the code library. As a result, some of its public keys, or moduli, are easily factored. At the core of many encryption system is often a very large integer that is calculated by multiplying two prime numbers together to arrive at a semiprime number. Some of Infineon’s public keys can be factored, since the component prime numbers can be reverse-engineered. Researchers can identify, or fingerprint, which public keys are vulnerable. Wikipedia defines key fingerprinting in public-key cryptography as, “a short sequence of bytes used to identify a longer public key.”

In the ROCA hack (“Return of Coppersmith’s Attack”), researchers developed a version of an existing decryption method. It leveraged the vulnerability that the modulus, or public key, can be factored to reveal the crucial primes. Factorizing the public key still requires considerable computing power and time, and the researchers used Amazon cloud compute services as a benchmark to illustrate the effort and cost. Once a public key has been fingerprinted as being potentially factorizable using this tool, a 1024-bit key would take just a few minutes to break, at a mere cost of approximately $75. A 2048-bit key would cost about $40,000 to crack, and would take a little more than two weeks. A properly-factored key would take millions of years and could not be broken in practical terms. These estimates illustrate the relative strengths and weaknesses of weak and strong keys.

How widespread is this?

There are tens of millions of these Infineon RSA keys in the field. Also, Trusted Platform Modules (TPMs) are embedded chips that are designed to safeguard hardware by integrating crypto keys, and can generate secure keys and facilitate remote login by authenticating credentials. Many Windows devices manufactured by HP, Fujitsu, and Lenovo are impacted; Google Chromebooks are similarly affected. Any devices that utilize Infineon RSA technology must be patched.

Concerns for the security industry

The organization that leads global certification of encryption methods is the National Institute of Standards and Technology (NIST) and the most important standards are FIPS 140-2 Level 2 and the Common Criteria. This is the second credibility hit to affect encryption technology since four years ago, when Taiwan’s certified digital ID secure technology was discovered to contain a flaw that could enable a hacker to adopt another user’s persona. Standards and certification will surely be reassessed and strengthened to reclaim credibility.

Is there any good news?

Yes. The vulnerability applies only to keys that were generated by the Infineon RSA encryption technology. RSA keys generated with software such as PGP, OpenSSL, and similar are not impacted. Neither are non-RSA keys, such as those using Elliptic Curve Cryptography and other technologies. In any case, only keys that were generated by a smartcard or an embedded device using the Infineon code library exhibit this flaw.

They have called it KRACK — Key Reinstallation Attack – and it uncovers a vulnerability in practically every modern WiFi network in the world. The flaw lies at the heart of the WPA2 security protocol that controls access and encrypts traffic. It can be leveraged to snoop on confidential information such as emails, credit card details, passwords and so on.

Who is impacted?

Businesses and individuals, institutions and enterprises, personal and corporate networks – every network that uses WPA2 or the older WPA1. Ciphers GCMP, AES-CCMP and WPA-TKIP. Windows, Linux, Apple, Android, Linksys, MediaTek, OpenBSD, have all been shown to be vulnerable to KRACK attacks. In fact, Android 6 users are most vulnerable

What exactly is the flaw?

When a user connects to a WiFi network, WPA2 uses what is called a 4-way handshake to validate the user’s credentials and connect authorized users to the network. Step 3 of that handshake process involves generating a unique session key. The flaw means that the key generation process can be manipulated to either use a key from a previous session or, in the case of Android 6, to use a key containing all zeros. Hence the name Key Reinstallation attack. Therefore a hacker could pose as an existing legitimate user and tap into the data going to and from that user. A hacker could also inject malware into a data stream to/from a user. A more technical low down can be found here and here.

Is there any good news?

Yes indeed. Most websites that handle confidential data, such as banks and eCommerce sites, use the HTTPS secure layer protocol to encrypt traffic. The WPA2 vulnerability cannot compromise data that is encrypted by some other method other than WPA2. This means that VPN traffic, for example, is not compromised. It is only plain old HTTP traffic that could be stolen. In any case, an attacker would have to be in close physical proximity in order to access any WiFi network, so it’s not like a vulnerability that can be leveraged from half way across the globe over the Internet.

Who is to blame and could it have been avoided?

Founded in 1999, Wi-Fi Alliance is the non-for-profit organization formed by the major players worldwide that create and deliver the Wi-Fi ecosystem, on which billions of people depend every day. It says, “Today, Wi-Fi carries more than half of the internet’s traffic in an ever-expanding variety of applications.” Its website carries the announcement of the vulnerability published October 16.
Seeing as this organization developed WPA2, then any finger pointing leads straight here, although it would be ultra-critical to lay blame with a product that has stood the test of time in the 13 years since its release in 2004. Could it have been avoided? Could Daimler have avoided the recall of over one million Mercedes Benz automobiles recently for an air bag flaw? Of course, the answer is yes, in theory, but no product can lay claim to be 100% foolproof or flawless.

What next to protect WiFi users?

The researchers quite responsibly informed the relevant bodies discreetly such that manufacturers like Microsoft had a month to develop security patches before the word got out. Users should update their devices. Microsoft users who subscribe to automatic updates will already have been upgraded. Android users should upgrade asap. However, as routers are almost always not on an automatic upgrade program, many may never receive firmware upgrades. That may not be an issue as long as clients (users) upgrade devices.

On June 27, 2017, opportunistic cybercriminals took advantage of exploits leaked by Shadow Brokers, a group that had previously released cyberweapons used by the National Security Agency. The latest exploit was a variant of Ransom: Win32/Petya that was initially seeded through the update mechanism of an accounting software program used in Ukraine. Since then, the ransomware has compromised 12,500 machines in Ukraine and spread to 64 countries across the globe. The virus exploits EternalBlue vulnerability in Microsoft Windows, encrypts data on the compromised hard drives and asks for a $300 ransom for data decryption.

A Wiper in Disguise

Experts believe the over-smart attempt to victimize unsuspecting users for financial gains has the potential to spread faster than the largest ever ransomware attack in WannaCry. In achieving this goal however, the virus is inept to the point of such uselessness that the entire ransom payment mechanism is flawed and guarantees failure to recover encrypted data despite payment.

The virus requests payment to a static Bitcoin address and a proof of payment message to the email address hosted by the company Posteo. As expected, transactions to the single hardcoded Bitcoin Address are traceable and the webmail company has already disabled the email address. Despite the large-scale impact, cybercriminals behind the attack hardly managed to receive $10,000 across 45 ransom payments.

It looks like the intent behind the attack is far more malicious and clever. Perhaps the creators never intended to decrypt the compromised data after receiving payments. While it looks like a school-boy hacker’s attempt to get rich quick, the virus has actually turned out to be something worse: a Wiper malware.

A Wiper malware is essentially a cyberweapon designed to destroy a data stored on the compromised hard disk. Whether Petya was intentionally designed as a Wiper malware is debatable, but it has certainly yielded its fair share of the fodder feeding the media frenzy toward the mysterious cybercrime actors. Previous episodes of Wiper malware had their roots entrenched in state-sponsored attacks. Notable attacks in history include the Wiper attack on Iran and Shamoon attack on Saudi Arabia, sharing its roots with the destructive Stuxnet attack.

Here’s What You Can Do About It

Petya exploits the Server Message Block (SMB) vulnerability in Microsoft Windows to spread across machines. This is the same vulnerability used to spread the WannaCry, the largest ransomware attack in history. Microsoft had already issued security patches to the address vulnerabilities, and users running updated machines remain secure from the Petya attack.

The first step to ensure protection from the Petya attack lies in running the latest stable versions of Windows OS.

Users running outdated Windows OS should meanwhile watch out for unwarranted attempts to reboot and repair system files. If that happens, you should power off your machine immediately, because it’s actually the encryption process taking place. Your files remain unencrypted until this process is completed in its entirety.

If your computer has actually been compromised, there’s no way to recover your data since the email address stated in the ransom message has been disabled. Reformat your hard drive, recover your data from the available backup and keep your software, anti-virus and OS up-to-date at all times.

The pacemaker itself is not a new piece of technology.  Interfacing it with a network – including the publicly accessible Internet – is a relatively new concept and opens the door to potentially life-threatening security vulnerabilities. Recently, the newly developed Pacemaker Ecosystem, the technology framework for connecting next-gen Pacemakers to the Internet of Things (IoT) failed its cyber security check-up.

IoT Brings Major Security Challenges

The very concept behind the Internet of Things highlights the convenience of connecting device across a public facing Internet connection. The benefits of IoT connectivity are myriad. An IoT-enabled Pacemaker allow medical professionals to remotely monitor Pacemaker users, 24/7.

Potentially, the same healthcare professionals could remotely reconfigure a Pacemaker as well. But what happens if somebody other than the authorized healthcare specialist, without the necessary knowledge and expertise to manage pacemaker gains access of the IoT healthcare device? The implications of this are terrifying.

Transparency is a Potential Security Vulnerability

The Pacemaker Ecosystem failed its cyber security test due to the potential security vulnerabilities found within the integrated set of technologies that constitute the overall platform infrastructure.

Because of the open nature of IoT security protocols, it is possible to learn very quickly how the Pacemaker Ecosystem handles security. Since the platform uses standardized cryptography methods, finding security vulnerabilities is far easier, as compared to finding them in propriety cryptography methods.

Incorporating off-the-shelf, potentially vulnerable cryptography technology into a healthcare IoT device platform is not necessarily a great idea either. Many vendors of open technologies have a less-than-stellar reputation for promptly addressing security vulnerabilities.

Robust Cryptography is Necessary for Healthcare IoT Devices

Infrastructure security loopholes aside, the Pacemaker Ecosystem has been criticised for failing to leverage adequate encryption for data security.

Whilst governments around the world are moving toward restricting the strength of consumer grade encryption in favor of national security, there can be no valid reason for vendors not apply strong encryption to data and networks involved in maintaining a patient’s cardio functionality.

However, the Pacemaker Ecosystem failed to use top grade encryption, and furthermore, can potentially leak unencrypted data due to security vulnerabilities introduced by third-party vendor technologies involved.

Multiple Points of Failure

The security testing and subsequent failure of the Pacemaker Ecosystem was dramatic due to the sheer volume of potential security vulnerabilities uncovered. Across the entire software platform, over 8,000 potential security vulnerabilities were found in standard library functions alone. It was also found that certain private patient data was being stored in an entirely unencrypted fashion.

Although the concept of IoT-enabled medical devices promises great value propositions, the road to developing secure and reliable devices is going to be a long one, with many challenges to overcome. As such, strong encryption is the least fundamental security requirement.

The biggest global ransomware cyberattack on record has impacted over 130,000 individual computers across over 100 countries in just 48 hours. That figure is an estimate as of Saturday midnight May 13, and will certainly increase over the next few days as more victims are identified.

So What Exactly Happened?

Victims see a ransom demand on their screens, stating that their data has been encrypted. The criminals demand $300 in Bitcoin to unlock the data. This price increases to $600 within a few hours if the ransom is not paid. The attacks utilize malware – a worm called Wanna Decryptor (a.k.a. WannaCry). It infects the device of a user who has been tempted to open an email attachment and thereby unknowingly installs the virus. The malware encrypts the hard drive and searches for other potential target systems on the network to spread itself. Once inside an organization, it exploits a known vulnerability in the Windows OS that pertains to document sharing with other users on a network. Defense mechanisms to protect against harmful document sharing between trusted users within a network are usually less stringent. These loopholes combined to deliver the biggest ever ransomware attack in history.

A happy accident temporarily halted the spread of the infection when a UK security analyst discovered what amounts to a ‘stop button’ or so-called kill switch.

Who has been targeted?

The malware targets Windows systems that are not up to date or older versions of Windows that Microsoft no longer supports. For example, Windows XP was released in October 2001 and withdrawn from service, officially more than 12 years later in 2014. However, some organizations chose not to purchase a newer version of Windows and saved on the licensing costs only to risk security attacks like the latest ransomware incident. Other large organizations, such as the UK’s National Health Service paid Microsoft to continue supporting XP for them. However, the UK government decided to halt that spend in 2015, leaving the health care system vulnerable to the type of attack that occurred. The organization failed to access sensitive patient data, critical planned surgeries and procedures had to be cancelled, and hospitals had to shut down some units.

In general, government, university and health care networks using outdated Windows OS versions are likely to be hardest the hit.

What options do victims have?

There are only 3 options:

• Pay the ransom
• Restore the data from a recent backup – if one exists
• Live without the data

In any event, users should work to apply the recommended security patches immediately. It is inevitable that the criminals will change their attack mechanisms and remove the temporary kill-switch capability, and then there are likely to be a number of copycat attacks using the same vulnerability in different ways.

Is the NSA at fault for this?

Not entirely. The NSA apparently did discover the vulnerability some time ago. They then weaponized it for their own use by building software code that exploited the vulnerability. The hacker group known as TheShadowBrokers made public this code amongst some of the NSA’s digital espionage toolkit as part of their exposure of NSA hacking tools. Reports indicate that the hackers behind this week’s attack simply did a copy and paste of that code into their worm. Microsoft did in fact release a security patch to fix the vulnerability in March. However, not all users were aware of the vulnerability or the patch, chose to run potentially vulnerable systems instead. The debate continues as to whether the NSA should alert software vendors regarding vulnerabilities that they uncover, rather than keeping the knowledge to themselves for surveillance purposes.

What can we do to help protect against ransomware attacks?

The least you can do is to keep your software updated, at all times. The next level of defense is the human element – Internet users should never click on email attachments unless they are absolutely certain that the files are coming from genuine, legitimate and known senders. These measures alone will suffice to curtail majority of ransomware attacks coming your way.

The WannaCry worm will potentially reappear in different guises over the coming days and weeks. The best advice is to take action now to protect your devices.

The 32-year-old son of a Russian parliamentarian and an ally to Vladimir Putin has been sentenced to 27 years in prison by the U.S. government for causing damages worth $169 million. Roman Selenev, known as “Track2” in the cybercrime underworld was described as a “pioneer” of credit card data theft. His modus operandi was hacking point-of-sale systems to steal credit card data. Not only did he drive several U.S. firms to bankruptcy, but also established an entire market for stolen credit card information.

Hackers are now going to prison for 20-30 year stretches. The number of hackers being successfully prosecuted and receiving prison sentences has grown in recent years. In the murky mix of state-sponsored hacktivism and criminality, authorities in Russia and China have assisted the US in capturing hackers. The criminal hacker who stole a vast amount of customer data from JPMorgan Chase was arrested with the assistance of Russian intelligence in December. He had been hiding out in Moscow. Chinese authorities arrested hackers in connection with records theft of staggering 22 million U.S. federal employees. This is just a small sample of successful captures.

The growing issue of cybercrime

The reality is that cybercrime does pay and is difficult to defend against. Law enforcement resources are overstretched and hackers are getting away with it. Even though more criminals are being apprehended, that number is most likely being dwarfed by a greatly increasing cybercrime wave. It is reasonable to assume that the ratio of incidents to arrests is growing larger by the year.

The statistics on cybercrime are frightening. Approximately half of all reported security breaches are caused by hostiles, with the remainder due to system or human error. The cost of a data security breach is estimated at $4 million on average. Actors in the cybercrime underworld can be categorized into four distinct groupings: pranksters, super-criminals, hacktivists and nation-state attackers.

Detection and prosecution of the criminal elements are restricted by global reach of the Internet. The law enforcement agencies of nation states already have a full case load of local crime issues without the added difficulty of seeking cross-border cooperation. Also, the skills required to pursue hackers are still in relative short supply within law enforcement agencies.

Stay clean, stay safe

Young people, especially those who possess the necessary technical skills, can be easily seduced by the seemingly easy pickings. Criminal activities can be launched from their own bedroom these days – what the FBI calls “criminal computer intrusion”. Phishing, fraud, ransomware are all on the rise. Often the perpetrators are 18 and 19 year olds.

For regular law abiding citizens or “netizens”, it pays to utilize a heightened sense of awareness online. Scams and get rich quick schemes abound. The old adage of “if it looks too good to be true, then it probably is” certainly holds true more often now than it ever did before.

Simple precautions include never clicking on email attachments from a source you do not know or completely trust, and not using the same password for every online account (an extremely common security weakness, apparently).

The cavalry will not come over the hill

For companies and individuals, it is important to realize that every device with the capability to access the Internet, can also be accessed from the Internet. This means that hackers can infiltrate equipment, systems and confidential information. The authorities can only do so much and it is not their responsibility to come to the rescue of every person or company that has been attacked and suffered a data security breach.

Zero-day vulnerability is a flaw that hackers can exploit on the same day it’s identified, leaving zero days of warning for the unaware, unsuspecting victims. In the case of Microsoft Word Zero-Day vulnerability, hackers knew about it since at least Nov 2016. Forensics have detected traces linked to attacks on Russian targets in addition to the mundane cybercriminal attacks that surfaced recently. A UK company that sells spyware systems to governments was named as the supplier, suggesting potentially state sponsored hacktivism in action.

The vulnerability affects almost every version of Microsoft Office out there. It was found in the Encapsulated PostScript (EPS), a graphics filter functionality. Victims were emailed a Word document that bypassed the standard warning about enabling macros. That server than sent a malicious payload, an RTF file disguised as a Word document to infect targeted systems. The external content was not accessed until users said OK to the standard warning about remote content. You can read more details in the Microsoft announcement of the security patch and their advice not to switch on that particular filter. The Sophos site describes the mechanics of the exploit. This article claims that three groups were exploiting the vulnerability prior to its discovery.

The Upsurge in State-Sponsored Hacktivism

State sponsored hacktivism is nothing new. Many observers believe that the Russian group Fancy Bear is attached to Russian military intelligence. The recent embarrassing public dumps of the NSA hacking tools appear to indicate a similar role for them. Some recent suspected state sponsored hacktivism targets included the UK Brexit referendum ad the US presidential election.

Governments are increasingly harnessing hired-in hacking skills as a weapon, both against internal dissidents and external states. It’s obvious why – low cost, very difficult to detect when done successfully, even more difficult to trace and next to impossible to find proof and pin blame with any degree of certainty. It’s also not thought of as being in the same destructive category as dropping bombs or invading countries. Russia and China have been in the headlines recently as prime suspects. No doubt western allies have been active too. The incidence will increase, not go away. Government funding attracts hacking groups to offer their services and the advantage is all too often with the attacker.

Will State Hacktivism Affect the Average Business?

Yes and no. It’s no secret that governments collect and store all digital phone calls, for example, and endeavor to do the same with email. Innocent personal communications are in the mix but it’s difficult to perceive any sense of threat for law abiding citizens. However, this touches on the great privacy debate and the balancing act between a state protecting its citizens and prying too deeply into personal lives. It is not going to go away.

The age-old advice about not opening email attachments still holds strong. If you’re not aware of the sender’s true identity, you must not click unsolicited links or download attachments no matter how innocent or attractive it may seem.

This attack depended on users ignoring the standard Microsoft warning that some content is on external servers. Users should pay heed to warnings like that, and stop to think for a moment before proceeding.

An anti-virus system with real-time scanning will detect and block many attacks, although not all.

You can find more advice here.

It was only recently that a major hack took place that targeted Internet infrastructure in the US with one of the largest DDoS attack ever recorded. The root cause was tracked back to overlooked security vulnerabilities in hundreds of thousands of compromised connected video cameras. Similar IoT-enabled cameras and sensors are driving forward the Smart City initiative that depends on these devices to manage the entire city’s infrastructure and assets.
Essentially, this dependency suggests that even the smallest of security weak points within the Smart City infrastructure can escalate security exploitation to unimaginable and uncontrollable levels.

 

Is a Smart City a Dumb Idea?

Just think about it a moment. If we take the concept of a Smart City to its goal, we have a very real potential for catastrophe if security vulnerabilities exist within the technology used.
Consider for a moment that a) by 2050 it is predicted that over 66% of the world population will live in an urban area and that b) smart technology is going to be the only way to manage these huge urban populations.
Smart cities are not simply a pipe dream, amusing on the potential of creating a digital utopia. They are going to be a fixed requirement for the changing shape of the global population. In effect, they are an unavoidable byproduct of the steady shift towards global urbanization.
So, what are the implications of a Smart City being hacked? In a worst-case scenario, we have death and mayhem. At the other end of the scale, we have day to day life for residents interrupted and hindered.

A Public Exposed to Harm Through Bad Technology

Currently, most successful hacks target network infrastructure that is responsible for carrying data. So, if one is successful, we might lose access to our favorite website or TV channel for a while. An annoyance, buy hardly life threatening.
Now fast forward, to a time when smart cities are helping to ease traffic by routing and possible driving our smart cars. When emergency services and law enforcement is centrally controlled and managed via smart technology. When public transport is scheduled and managed using tech. And when everything down to booking a tennis court at the local community center is the responsibility of the technology running the smart city.
Hackers for almost the very first time, can start getting physical in their attacks. These could be relatively harmless attacks such as block booking that tennis court for the next 100 years. But they could also be life threatening if they gain the ability to begin rerouting traffic whilst sending the emergency services elsewhere on a wild goose chase.
Smart cities are fast becoming a reality. However, the technology we are using to build these digital urban playgrounds is far from being secure. There is a clear and present danger in rolling out smart city deployments before the standardization of IoT device security is first specified, and then adhered to by every manufacturer.

It’s 3 months since some of the NSA’s top-secret hacking tools were dumped for public inspection by person or persons unknown. Various commentators and experts voiced theories about the motive and perpetrator. People such as Edward Snowden and security experts pointed fingers at Russia almost immediately. The picture of the event has changed somewhat in the intervening period and the salient facts have been re-examined in a different light:

• The suggested price for the remainder of the cache at $568 million was way too high to be credible. This indicated the likelihood of a simple publicity stunt rather than a serious attempt to obtain money.
• Some of the tools were zero-day exploits (tools that take advantage of unreported vulnerabilities) and could have fetched over $100,000 each on the black market instead of being given away for free. That would have been the obvious route to take if money were the objective.
• The timestamps indicated that the material was 3 years old. Although its authenticity has been corroborated, why keep it under wraps for that long?
• The FBI, who are leading the investigation, now say they believe it was accidentally exposed by an NSA employee or subcontractor and subsequently discovered by the perpetrator.

So the infamous hack looks like it was not a hack at all. The most likely explanation is that the act was a veiled threat by Russia to lay off further actions against it over the much-publicized hacks of several Democratic Party organizations. The implication being that the network serving up the malware could be identified, which could severely embarrass the US should they be linked to actions against allies.

Probably the most shocking aspect of the entire affair is the realization that the NSA “good guys” are happy to uncover vulnerabilities but not inform the equipment manufacturer. Just like any black hat hackers, they utilize the information to develop exploits. The most infamous exploit attributed to that group.

The target equipment is major league serious network components used in government networks, large corporations and their like – routers and firewalls manufactured by major American and Chinese vendors such as, Cisco, Juniper Networks, and Fortinet. Seemingly the material consisted of exploits (tools), command-and-control server configurations and installation scripts. Substantially different from the more commonplace malware site drive-by infection that dumps criminalware on the computers of unsuspecting visitors. Some sources believe that the exploits, numbering about ten apparently, were supplied to the NSA by a cyber espionage organization called the Equation Group, who were also linked to the computer worm, Stuxnet.

It is not only the NSA that suffered a significant credibility setback. One can only imagine the reactions of the top brass of the equipment manufacturers that were impacted. In the highly competitive world of international equipment, the perception of buying a totally secure network is paramount. Suddenly, the Cisco salesman or OEM may be asked if the equipment can be guaranteed to be completely secure, or does the US Government effectively own the keys to a back door?

Why is a well-known exploit kit that hit the headlines back in 2010 still just as deadly as we head into 2017? Spotify users were the latest victims of the Blackhole Exploit Kit. The ads that help pay for the free version of Spotify are delivered by third party ad servers. So are the majority of online ads these days. One of the ads took users to a malware infection website where the exploit kit was activated to contaminate users’ Windows computers.

Exploit kits are software toolkits designed to be installed on web servers. They utilize scripts to detect vulnerabilities in software installed on the computer that visitors use to navigate to a site that is served up by the malignant web server. Users do not even have to click on the infected ad – it is enough for the ad’s code to be downloaded to the user’s browser. Typically, exploit kits are classified as criminalware and are mostly targeted at Windows users and platforms. The objective is to potentially download a whole range of malware agents from key loggers to online banking Trojans. The best defense against this type of attack is simply to keep your anti-malware software up to date.

Assuming that the bulk of tech-savvy online users do just that, there is a very obvious reason why the criminals behind the Spotify attack invested time and money (presumably) in setting up the malignant ad. There is a substantially large number of users who don’t understand the nature of the hostile online world and are blissfully unaware of the critical need for security software on their devices. That is why what should be a relatively obscure exploit kit from seven years ago is still worth persisting with today.

So how exactly do these exploit kits work?

First of all, it’s important to realize that the majority of malware sites are regular sites that have been hacked and infected. That makes it impossible for you or anybody to know they are on a “bad” site without the aid of a security tool to launch an instant alert. Exploit kits very quickly test a user’s complete environment. That includes OS, browser, installed applications, security settings and systems. It takes less than a second for the complete operation of discovering a vulnerability and downloading the payload of malware. This article explains the infection process very well.

There are many exploit kits available to purchase. Perhaps the most worrying category is the Zero Day kits. Whilst browser and application vendors are constantly watching for and testing for potential vulnerabilities, there is an inevitable delay between warning users about the risk and having those users apply the required patch. Zero Day exploits become available immediately, hence the zero tag in the name. They can be deployed by hackers long before a segment of the user community gets around to patching the vulnerability.

If you want to delve deeper into the technology and ever-evolving incarnations of exploit kits, visit malware-traffic-analysis where Brad maintains a blog that records new discoveries on an almost daily basis. The blog at commercial protection vendor MalwareBytes provides a less techie and more high level discussion of current exploits, trends and observations.