Through the malicious use of email, file attachments, websites, and other tools, attackers transmit their cyberweapons to targets.
Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants
2016 saw dramatic changes in the exploit kit environment. At the start of the year, Angler, Nuclear, Neutrino, and RIG were clear leaders among exploit kits. By November, RIG was the only one from that group still active. As Figure 10
shows, exploit kit activity dropped off significantly around June.
Nuclear was the first to disappear, suddenly ceasing operation in May. Why its authors abandoned it is a mystery. The Neutrino exploit kit, which also left the scene in 2016, relied on Flash files to deliver vulnerabilities. (See Figure 11
on next page for a list of top vulnerabilities in known exploit kits in 2016.)
Flash remains an attractive web attack vector for adversaries, but it is
likely to become less so over time. Fewer sites and browsers are
supporting Flash fully or at all, and there is generally greater
awareness about Flash vulnerabilities. (For more on this topic, see “Web
Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant,” on
page 15.)A Giant Goes Silent
Angler—the most advanced and largest among known exploit kits—also targeted Flash vulnerabilities and was linked to several high-profile malvertising and ransomware campaigns. However, unlike Nuclear and Neutrino’s disappearance, Angler’s departure in 2016 is not a mystery.
In late spring, about 50 hackers and cybercriminals were arrested in Russia; the group was linked to the Lurk malware, a banking Trojan that specifically targeted Russian banks.¹⁰ Cisco threat researchers identified clear connections between Lurk and Angler, including the fact that Lurk was being delivered largely through Angler to victims inside Russia. Following the arrests, Angler vanished from the exploit kit marketplace.¹¹
Now that three of the most dominant exploit kits have cleared the field, smaller players and new entrants can expand their market share. And they are becoming more sophisticated and agile. Exploit kits that appeared poised for growth in late 2016 were Sundown, Sweet Orange, and Magnitude. These kits, as well as RIG, are known to target Flash, Silverlight, and Microsoft Internet Explorer vulnerabilities. (See Figure 11
.) Uninstalling Flash, and disabling or removing unnecessary browser plugins, will help users reduce the risk that they will be compromised by these threats.Malvertising: Adversaries Use Brokers to Increase Speed and Agility
Users are directed to exploit kits in two primary ways: compromised websites and malvertising. Adversaries will place a link to an exploit kit landing page into a malicious ad or a compromised website, or they will use an intermediate link, known as a broker. (These links, positioned between compromised websites and exploit kit servers, are also referred to as “gates.”) The broker serves as an intermediary between the initial redirection and the actual exploit kit that delivers the malware payload to users.The latter tactic is becoming more popular as attackers find they must move faster to maintain their operational space and evade detection. Brokers allow adversaries to switch quickly from one malicious server to another without changing the initial redirection. Because they don’t need to constantly modify websites or malicious ads to start the infection chain, exploit kit operators can carry out longer campaigns.ShadowGate: A Cost-Effective CampaignAs it becomes more difficult to compromise large numbers of users through traditional web attack vectors alone (see page 15), adversaries are relying more on malvertising to expose users to exploit kits. Our threat researchers dubbed a recent global malvertising campaign “ShadowGate.” This campaign illustrates how malicious ads are providing adversaries with more flexibility and opportunity to target users across geographic regions at scale.
ShadowGate involved websites ranging from popular culture to retail to pornography to news. It potentially affected millions of users in North America, Europe, Asia-Pacific, and the Middle East. The campaign’s global reach and use of many languages are noteworthy.
ShadowGate, which used domain shadowing, was first seen in early 2015. It would go quiet at times and then randomly start up again to direct traffic to exploit kit landing pages. Initially, ShadowGate was used to direct users to the Angler exploit kit only. But after Angler disappeared in the summer of 2016, users were directed to the Neutrino exploit kit, until that vanished as well a few months later. (For more on this story, see “Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants,” on page 20.)
Even though ShadowGate saw a high volume of web traffic, only a tiny fraction of interactions led to a user being directed to an exploit kit. The malicious ads were mostly impressions—ads that render on the page and require no user interaction. This online advertising model allowed the actors responsible for ShadowGate to operate their campaign more cost-effectively.
Our research into ShadowGate led to a joint effort with a major web hosting company. We worked together to mitigate the threat by reclaiming registrant accounts that adversaries had used to host the activity. We then took down all applicable subdomains.
For more details on the ShadowGate campaign, see the September 2016 Cisco Talos blog post, Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted.Investigation Finds 75 Percent of Organizations Affected by Adware Infections
Adware, when used for legitimate purposes, is software that downloads or displays advertising through redirections, pop-ups, and ad injections and generates revenue for its creators. However, cybercriminals are also using adware as a tool to help increase their revenue stream. They use malicious adware not only to profit from injecting advertising, but also as a first step to facilitate other malware campaigns, such as DNSChanger malware. Malicious adware is delivered through software bundles; publishers create one installer with a legitimate application along with dozens of malicious adware applications.
Bad actors use adware to:
- Inject advertising, which may lead to further infections or exposure to exploit kits
- Change browser and operating system settings to weaken security
- Break antivirus or other security products
- Gain full control of the host, so they can install other malicious software
- Track users by location, identity, services used, and sites commonly visited
- Exfiltrate information such as personal data, credentials, and infrastructure information (for example, a company’s internal sales pages)
To assess the scope of the adware problem for enterprises, Cisco threat researchers examined 80 different adware variants. About 130 organizations across verticals were included in our investigation, which took place from November 2015 to November 2016.
We categorized the adware into four groups, based on the primary behavior of each component:
- Ad injectors: This adware usually resides in the browser and can affect all operating systems.
- Browser-settings hijackers: This adware component can change computer settings to make the browser less secure.
- Utilities: This is a large and growing category of adware. Utilities are web applications that offer a useful service to users, such as PC optimization. These applications can inject advertising, but their primary purpose is to convince users to pay for the service. However, in many cases, utilities are nothing more than scams and provide no benefits to users.
- Downloaders: This adware can deliver other software, such as a toolbar.
We determined that 75 percent of the organizations in our study were affected by adware infections. (Figure 12
shows the types of incidents we observed in the organizations included in our investigation. Ad injectors were the primary source of infections. This finding indicates that most of these unwanted applications target web browsers. We have also seen an increase in browser-based infections during the last few years, which suggests adversaries are finding success with this strategy for compromising users.
All the adware components we identified during our investigation can place users and organizations at risk for malicious activity. Security teams must recognize the threat that adware infections pose and make sure that users in the organization are fully aware of the risks.
For additional information on this topic, see the February 2016 Cisco Security blog post, DNSChanger Outbreak Linked to Adware Install Base.Global Spam Is Increasing—and So Is the Percentage of Malicious Attachments
Cisco threat researchers conducted two studies in 2016 using opt-in customer telemetry to estimate what percentage of total email volume is spam. We found that spam accounts for nearly two-thirds (65 percent) of total email volume. Our research also suggests that global spam volume is growing, due primarily to large and thriving spam-sending botnets like Necurs. In addition, we determined through our analysis that about 8 percent to 10 percent of global spam observed in 2016 could be categorized as malicious.
From August to October 2016, there was a significant increase in the number of IP connection blocks (Figure 14
).¹² This trend can be attributed to an overall rise in spam volume, as well as reputation systems adapting to information about spam senders.
The five-year graph from the Composite Blocking List (CBL), a DNS-based “blackhole list” of suspected spamsending computer infections,¹³ also shows a dramatic increase in total spam volume during 2016 (Figure 15
A review of 10-year data from CBL (not shown) suggests that 2016 spam volume is close to the record-high levels seen in 2010. New antispam technologies, and high-profile takedowns of spam-related botnets, have helped to keep spam levels low in recent years. Our threat researchers attribute the recent increase in global spam volume to the Necurs botnet. Necurs is a primary vector for Locky ransomware. It also distributes threats such as the Dridex banking Trojan.Figure 16
is an internal graph generated by Cisco’s SpamCop service that illustrates the change in spam volume observed in 2016. This graph shows the overall size of the SpamCop Block List (SCBL) from November 2015 to November 2016. Each row in the SCBL represents a distinct IP address.
Between November 2105 and February 2016, SCBL size hovered below 200,000 IP addresses. In September and October, SCBL size exceeded 400,000 IP addresses before dropping off in October, which our threat researchers attribute to the operators of Necurs simply taking time off. Also note the significant decline in June. At the end of May, there were arrests in Russia related to the Lurk banking Trojan (see page 21). Subsequently, several high-profile threats, including Necurs, went silent. However, 3 weeks later, Necurs was back in action, adding more than 200,000 IP addresses to the SCBL in less than 2 hours.
Many of the host IPs sending Necurs spam have been infected for more than 2 years. To help keep the full scope of the botnet hidden, Necurs will send spam only from a subset of infected hosts. An infected host might be used for 2 to 3 days, and then sometimes not again for 2 to 3 weeks. This behavior complicates the job of security personnel who respond to spam attacks. They may believe they have found and successfully cleaned an infected host, but the actors behind Necurs are just biding their time until they launch another attack.
Seventy-five percent of total spam observed in October 2016 contained malicious attachments. Most of that spam was sent by the Necurs botnet. (See Figure 17
Our threat researchers examined how adversaries use different types of file attachments to help prevent malicious spam from being detected. What we found is that they are continually evolving their strategies, experimenting with a wide range of file types, and quickly switching tactics when they don’t find success. Figure 17
The specific percentages for the different file types in a given month are derived using the percentage of total spam that contained malicious attachments seen in that month. So, for example, in July 2016, .docm files represented 8 percent of the total percentage of malicious attachments observed.
Patterns with .wsf files during 2016 (see Figure 17
) provide an example of how adversaries will evolve malicious spam tactics over time. This file type was rarely used as a malicious attachment before February 2016. Then, the use of this file type begins to grow as the Necurs botnet becomes more active. By July, .wsf files accounted for 22 percent of all malicious spam attachments. This was also around the time that global spam activity increased dramatically (see previous section), an uptick that was due largely to the Necurs botnet.
Through August, September, and October, we saw fluctuations in the percentages of .wsf files. This indicates that adversaries were pulling back at times when the file type was being detected more frequently.Hailstorms and Snowshoes
Two types of malicious spam attacks are especially problematic for defenders: hailstorm attacks and snowshoe attacks. Both employ the elements of speed and targeting, and both are highly effective.
Hailstorm attacks target antispam systems. The operators behind these attacks take advantage of the very small window of time between the moment they launch their spam campaign and when antispam systems see it and push coverage out to antispam scanners. Adversaries typically have only seconds or minutes to operate before their campaigns are detected and blocked.
The spike in Figure 18
is a hailstorm attack. The activity is shown in the Cisco Investigate interface. Just before the attack, no one was resolving the IP address. Then, suddenly, the number of computers resolving the domain in DNS spiked to more than 78,000 before dropping back down to zero.
Contrast the hailstorm attack to a snowshoe spam campaign, also shown in Figure 18
, where attackers attempt to fly under the radar of volume-based detection solutions. The number of DNS lookups is steady, but there are only about 25 queries per hour. These low-volume attacks allow adversaries to quietly distribute spam from a large swath of IP addresses.
Even though these spam attacks operate differently, they do have things in common. Through either approach, adversaries can:
- Evade a bad reputation by sending from clean IPs and domains
- Emulate marketing mail with professional content and subscription management
- Use well-configured email systems rather than sloppy scripts or spam bots
- Properly set up forward-confirmed reverse DNS and Send Policy Framework (SPF) records
Adversaries can also impair content detection by mutating text and cycling through file types. (For more details on how cybercriminals evolve their threats to evade defenders, see the “Time to Evolve” section on page 34.) For more information on how they experiment with malicious file attachments for spam, see the previous section.Figure 19
shows top threat outbreak alerts; this is an overview of the spam and phishing messages that we observed adversaries frequently updating in 2016 in order to bypass email security checks and rules. It is important to know what types of email threats are the most prevalent so that you can avoid being duped by these malicious messages.