Attacks/Breaches

Microsoft Silverlight Exploit Kit Attacks Spike

While crimeware authors continue gunning for outdated plug-ins, researchers report that businesses are finding and stopping related intrusions more quickly.

Beware a surge in attacks that target outdated versions of the Microsoft Silverlight plug-in.

That warning was issued Monday by Cisco, which has traced a recent surge in attacks targeting Microsoft Silverlight vulnerabilities to Angler, among other exploit kits. Oftentimes, these exploits are delivered via "malvertising," when attackers manage to sneak malicious code into ads displayed by otherwise legitimate advertising networks.

"Silverlight exploits are the drive-by flavor of the month," said Cisco information security researcher Levi Gundert in a blog post, noting that a related spike in attacks began April 23. "In this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities, and though Java is available and an included reference in the original attack landing pages, it's never triggered."

According to Gundert, attackers are successfully compromising a large number of outdated and vulnerable versions of Silverlight. "Unfortunately, we observe extensive global DNS requests for the Angler landing pages, indicating that this campaign is largely succeeding... due to [each victim's] failure to upgrade their system's applications."

Silverlight, which offers Flash-like functionality, was ignored by exploit kit writers prior to last year, according to a security report published Wednesday by Trustwave. But then two different flaws -- CVE-2013-0074 and CVE-2013-3896 -- drew attackers' attention.

"Trustwave did not see evidence of any Silverlight vulnerabilities in exploit kits until these two flaws were coupled together and integrated into virtually all active exploit kits in 2013," according to the report. "Within a month, Silverlight became the most popular target for exploitation. To make matters worse, integrating this exploit into a kit was so simple that developers could use the same .dll file across all versions. They merely added their own methods of obfuscation and evasion to the code."

Silverlight, of course, isn't the only plug-in to be targeted by attackers, nor is Angler the most pervasive crimeware kit, according to Trustwave's report, which is based on almost 700 breach investigations conducted by the firm in 2013, as well as threat intelligence data gathered by the company's networking products.

But plug-ins remain potent enterprise security weak points. In 2013, 85% of the breaches investigated by Trustwave involved exploits of third-party plug-ins such as Java, Adobe Flash, Adobe Acrobat and Reader, and Microsoft Silverlight.

Throughout 2013, most of these malware-based exploits traced to the Blackhole crimeware kit, which accounted for 49% of all exploit-kit-based attacks -- at least prior to Russian police busting botnet mastermind "Paunch" in October. "The arrest of its creator and a lack of updates to the kit spurred a 15% decline in Blackhole's prevalence," according to Trustwave's report. "We expect the second-most prevalent exploit kit, Magnitude at 31%, to fill the gap." Other popular exploit kits include Cool and Redkit (each 6%), while 8% of crimeware traffic collectively traced to Angler, BleedingLife, DotkaChef, Eleonore, Gondad, Neutrino, and SofosFO.

Trustwave's study also offers further details about how many businesses are being compromised. Nearly one-third of all 2013 breaches investigated by Trustwave, for example, involved attackers being able to compromise weak passwords. SQL injection (8% of attacks) and phishing (6%) were also potent exploit vectors.

One hopeful finding from Trustwave's study is that within 10 days of a breach being discovered, two-thirds of organizations were able to contain it. Furthermore, 71% of organizations were able to contain a breach within six months, up from 56% in 2012.

Most businesses, however, still don't know if or when they've been breached. In only 29% of the breaches investigated by Trustwave, for example, did the business discover the breach itself. Everyone else was informed by a third party: regulators, card brands, or merchant banks (in 60% of cases); another third party (7%); the public (3%); or a law enforcement agency (3%).

It's important for organizations to self-detect breaches, because it affects response time. "For organizations that do self-detect, they detect quicker and they contain a data breach quicker," said John Yeo, a director at Trustwave, in a phone interview.

Indeed, organizations that self-detected a breach spotted it an average of 32 days after it occurred, compared with 108 days for organizations that learned about the breach from a third party. Similarly, organizations that self-detected took just one day -- on average -- to contain the breach, compared with fourteen days for others.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.