Zero-Day Drive-By Attacks: Accelerating & ExpandingThe zero-day attack business is no longer just about money, and patching is no longer the best defense.
A successful drive-by shooting requires planning, timing, effective weapons and a quick exit (or so I’m told by friends who play Grand Theft Auto). In the cybersphere, zero-day drive-by attacks succeed based on the same criteria, but unfortunately the fast escape is rarely required.
Exploit packs are the core commodity that facilitates drive-by attacks for global cyber criminals. Since 2005, when Mpack was first released, over 100 individually marketed exploit packs -- with names like Black Hole, Neutrino, and Sweet Orange -- have been sold to leverage the World Wide Web and to exploit victims’ computers. The exploit pack itself is literally a bundle of exploits for known vulnerable software neatly packaged with an administrative web interface. Exploit packs are purchased in the criminal underground and installed on web servers where the owners periodically check their instance’s drive-by efficacy.
Once an exploit pack is installed, an attacker must push victim web traffic to the exploit pack site. These days there are numerous methods to compromise web pages and redirect unsuspecting visitors. Top 10 Google search results (via thousands of newly generated and linked blogs), advertising and content delivery networks, popular blogs, and even large news sites are regularly compromised. One second a victim is reading the news and the next his/her system is seamlessly redirected and probed for software vulnerabilities.
That’s where it starts. The applications we all use and love (think Adobe Reader, Oracle’s Java, Microsoft Office, and all four of the major web browsers) must be constantly updated. When these applications aren’t patched, drive-by exploitation happens instantly and some hideous piece of malicious code (adware, malware, crimeware, ransomware) ends up on a victim’s computer. Drive-by attacks really are insidious because they require only that victims browse the web and criminals are only too happy to abuse the landscape where millions of potential victims roam.
As a result, demand for new and improved exploit packs is constantly expanding. Exploit pack authors are forced to update their crimeware services with new exploits as soon as new software vulnerabilities are announced or risk losing hard earned criminal market share due to an obsolete product. So like any profitable software company, authors write an exploit once (or copy it from the helpful Internet), update the exploit pack, license it on a per server basis, and continue to watch the e-currency stack up.
Unfortunately the drive-by business is no longer just about money. It turns out that hard working 9-5 nation state actors are already receiving a pay check with a government insignia on it. These men and women are concerned with political intelligence gathering and intellectual property theft for the purpose of competitive advantage on a grand scale.
It didn’t take long for these nation state actors to realize that they could improve upon well established and successful criminal attack vectors. The original derivative work was spear-phishing. This turned mass market criminal phishing attacks - sent without regard to the recipient’s identity - into highly targeted emails sent to extensively researched individuals. Naturally these emails include attachments or links relevant to the target victim in order to entice them to act. This technique was (and continues to be) incredibly effective on all kinds of government and industry verticals.
After years of successful network compromises and data exfiltration with spear-phishing, these foreign government employees decided to add another strategy to the playbook: the watering-hole attack.
1 of 2