Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/21/2015
10:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Zero-Day Malvertising Attack Went Undetected For Two Months

Researchers at Malwarebytes tracked stealthy attack campaign that infected some major websites with malicious ads harboring ransomware.

RSA CONFERENCE -- San Francisco -- Cybercriminals deployed an Adobe Flash Player zero-day exploit embedded in online ads for close to two months in an attack that targeted US users with a ransomware payload, researchers said here today.

The use-after-free vulnerability, CVE 2015-0313, was patched by Adobe on Feb. 2, and the day after, the attack campaign came to a screeching halt, according to researchers at Malwarebytes, which traced the zero-day's lifecycle after their systems detected the attacks in December of last year. The attackers injected the malware-ridden ads on the websites of Dailymotion, Huffington Post, answers.com, New York Daily News, HowToGeek.com, tagged.com, as well as a handful of other sites.

"A zero-day was under everybody's nose for two months on top websites," says Pedro Bustamante, director of special projects for Malwarebytes.

Bustamante says the researchers had never before seen a malvertising campaign like this one. The attackers used a popular advertising network, which Malwarebytes did not name but said is ranked as the number one such network by Comscore.

Malwarebytes doesn't have a head count of victims hit with the ransomware, but traffic to the infected sites reached over 1 billion in February of this year. Not all of those victims obviously were infected--although they would not have to click on the infected ad to get infected, they had to meet the demographics the attackers were looking for, which were US consumers behind residential IP addresses.

Each of the affected websites ran the malicious ads for an average of two days, and Malwarebytes in its research traced back its first detection and blocking of the zero-day exploit on Dec. 10, 2014.

The attackers used the HanJuan exploit kit, which was hosted on rotating domains to evade detection. It drops CryptoWall ransomware for click fraud purposes.

The attackers appear to be "a highly professional operation" given the use of an 0day for months on high-profile sites, Jerome Segura, senior security researcher at Malwarebytes wrote in a report on the attacks. "All in all, this zero-day threat underlines how the threat from exploits delivered through malvertising is one that should be taken much more seriously," he said.

A recent study conducted by the Association of National Advertisers and WhiteOps tracked online ad traffic patterns for 36 major companies and discovered that advertisers are losing $6.3 billion to $10 billion per year in ad fraud.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
50%
50%
SgS125,
User Rank: Ninja
4/22/2015 | 10:23:03 AM
So all the way to day 2 at RSA before anything to write about?

Wondered how far the value of the RSA conference  had fallen.

Thanks for reinforcing my decision to never go again.  I had trouble finding anything of value last year and it seems that the content has gone to an even lower standard.  I guesss last Decembers news is good enough for the RSA crowd.

 

Maybe they got a few people to attend the guy who gets kicked off the United flight speech.

 

Hang in there only a few more hours till cocktail time in Frisco where the real RSA action happens.

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/22/2015 | 8:46:14 AM
Hiding in plain site
It's amazing how the malvertising attacks were injected in ads hosted by such well known websites. Many I would have considered reputable and trustworthy. Its scary to see that these things are hiding in such widely trafficked areas.

I remember reading an article stating that ad space is difficult to lock down as everyone, not only people with genuine need, can buy ad space.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/22/2015 | 7:12:27 AM
Scary
Ransomware creeps me out. Even though I have multiple back ups of my important files, folders and images, I really would rather the people that put the software together just stole money from my bank account. I can always earn that back, but personal files and images are totally irreplaceable. 

It's a great reason for people to make sure their files are well protected. 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
CVE-2018-19942
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QT...
CVE-2021-27691
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...