Nadradený pojem:
ShadowGate campaign
Description
As it becomes more difficult to compromise large numbers of users through traditional web attack vectors alone (see page 15), adversaries are relying more on malvertising to expose users to exploit kits. Our threat researchers dubbed a recent global malvertising campaign “ShadowGate.” This campaign illustrates how malicious ads are providing adversaries with more flexibility and opportunity to target users across geographic regions at scale.
ShadowGate involved websites ranging from popular culture to retail to pornography to news. It potentially affected millions of users in North America, Europe, Asia-Pacific, and the Middle East. The campaign’s global reach and use of many languages are noteworthy.
ShadowGate, which used domain shadowing, was first seen in early 2015. It would go quiet at times and then randomly start up again to direct traffic to exploit kit landing pages. Initially, ShadowGate was used to direct users to the Angler exploit kit only. But after Angler disappeared in the summer of 2016, users were directed to the Neutrino exploit kit, until that vanished as well a few months later. (For more on this story, see “Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants,” on page 20.)
Even though ShadowGate saw a high volume of web traffic, only a tiny fraction of interactions led to a user being directed to an exploit kit. The malicious ads were mostly impressions—ads that render on the page and require no user interaction. This online advertising model allowed the actors responsible for ShadowGate to operate their campaign more cost-effectively.
Our research into ShadowGate led to a joint effort with a major web hosting company. We worked together to mitigate the threat by reclaiming registrant accounts that adversaries had used to host the activity. We then took down all applicable subdomains.
For more details on the ShadowGate campaign, see the September 2016 Cisco Talos blog post, Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted.
ShadowGate involved websites ranging from popular culture to retail to pornography to news. It potentially affected millions of users in North America, Europe, Asia-Pacific, and the Middle East. The campaign’s global reach and use of many languages are noteworthy.
ShadowGate, which used domain shadowing, was first seen in early 2015. It would go quiet at times and then randomly start up again to direct traffic to exploit kit landing pages. Initially, ShadowGate was used to direct users to the Angler exploit kit only. But after Angler disappeared in the summer of 2016, users were directed to the Neutrino exploit kit, until that vanished as well a few months later. (For more on this story, see “Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants,” on page 20.)
Even though ShadowGate saw a high volume of web traffic, only a tiny fraction of interactions led to a user being directed to an exploit kit. The malicious ads were mostly impressions—ads that render on the page and require no user interaction. This online advertising model allowed the actors responsible for ShadowGate to operate their campaign more cost-effectively.
Our research into ShadowGate led to a joint effort with a major web hosting company. We worked together to mitigate the threat by reclaiming registrant accounts that adversaries had used to host the activity. We then took down all applicable subdomains.
For more details on the ShadowGate campaign, see the September 2016 Cisco Talos blog post, Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted.
Importance
High