What are exploits? (And why you should care)
 
Posted March 29, 2017 by Wendy Zamora
 
Exploits: they're not your mama's cyberthreats. At one point in the
not-so-distant past, exploits were responsible for delivering 80 percent of
malware to people's systems. But exploits seem to be experiencing a lull today.
 Does this mean they're gone for good and we can all let down our guard? Or is
this simply the calm before the storm? Let's break down this stealthy threat so
 you can not only know your enemy, but also be appropriately prepared should
the exploit attacks return.
 
What is an exploit?
 
An exploit is a program or piece of code that finds and takes advantage of a
security flaw in an application or system so that cybercriminals can use it for
 their benefit, i.e., exploit it.
 
Cybercriminals frequently deliver exploits to computers as part of a kit, or a
collection of exploits, that is hosted on websites or hidden on invisible
landing pages. When you land on one of these sites, the exploit kit
automatically fingerprints your computer to see which operating system you are
on, which programs and you have running, and most importantly, whether any of
these have security flaws, called vulnerabilities. It is basically looking at
your computer for weaknesses to exploit-not unlike the Trojans did with
Achilles' heel.
 
After discovering vulnerabilities, the exploit kit uses its pre-built code to
essentially force the gaps open and deliver malware, bypassing many security
programs.
 
So are exploits a form of malware? Technically, no. Exploits are not malware
themselves, but rather methods for delivering the malware. An exploit kit
doesn't infect your computer. But it opens the door to let the malware in.
 
How do exploits attack?
 
People most often come across exploit kits from booby-trapped high-trafficked
websites. Cybercriminals typically choose popular, reputable sites in order to
reap the highest return on their investment. This means the news sites you
read, the website you use to browse real estate, or the online store where you
buy your books are all possible candidates. Sites such as yahoo.com,
nytimes.com, and msn.com have been compromised in the past.
 
So you're surfing the web, stopping by a website you love, and the compromised
site redirects you in the background, without opening any new browser windows
or alerting you in any other way so that you can be scanned for suitability for
 infection. Based on this, you are either selected for exploitation or
discarded.
 
How is your favorite website compromised? In one of two ways: 1. A piece of
malicious code is hidden in plain sight on the website (via good old-fashioned
hacking) 2. An advertisement that is displayed on the website has been
infected. These malicious ads, known as malvertising, are especially dangerous,
 as users don't even need to click on the ad in order to be exposed to the
threat. Both methods, hacked sites or malvertising, immediately redirect you
(point your web browser) to an invisible landing page that is hosting the
exploit kit. Once there, if you have vulnerabilities on your computer, it's
game over.
 
The exploit kit identifies vulnerabilities and launches the appropriate
exploits in order to drop malicious payloads. These payloads (the malware) can
then execute and infect your computer with all kinds of bad juju. Ransomware is
 a particular favorite payload of exploit kits these days.
 
Which software is vulnerable?
 
In theory, given enough time, every piece of software is potentially
vulnerable. Specialist criminal teams spend lots of time pulling apart programs
 so they can find vulnerabilities. However, they typically focus on the
applications with the highest user-base, as they present the richest targets.
As with all forms of cybercrime, it's a numbers game. Top application targets
include Internet Explorer, Flash, Java, Adobe Reader, and Microsoft Office.
 
How security folks fight it
 
Software companies understand that the programs they develop may contain
vulnerabilities. As incremental updates are made to the programs in order to
improve functionality, looks, and experience, so too are security fixes made to
 close vulnerabilities. These fixes are called patches, and they are often
released on a regular schedule. For example, Microsoft releases a cluster of
patches for their programs on the second Tuesday of each month, known as Patch
Tuesday.
 
Companies may also release patches for their programs ad-hoc when a critical
vulnerability is discovered. These patches essentially sew up the hole so
exploit kits can't find their way in and drop off their malicious packages.
 
The problem with patches is they often aren't released immediately after a
vulnerability is discovered, so criminals have time to act and exploit. The
other problem is that they rely on users downloading those "annoying" updates
as soon as they come out. Most exploit kits target vulnerabilities that have
already been patched for a long time because they know most people don't update
 regularly.
 
For software vulnerabilities that have not yet been patched by the company who
makes them, there are technologies and programs developed by cybersecurity
companies that shield programs and systems known to be favorites for
exploitation. These technologies essentially act as barriers against vulnerable
 programs and stop exploits in multiple stages of attack, that way, they never
have a chance to drop off their malicious payload.
 
Types of exploits
 
Exploits can be grouped into two categories: known and unknown, also called
zero-day exploits.
 
Known exploits are exploits that security researchers have already discovered
and documented. These exploits take advantage of the known vulnerabilities in
software programs and systems (that perhaps users haven't updated in a long
time). Security professionals and software developers have already created
patches for these vulnerabilities, but it can be difficult to keep up with all
the required patches for every piece of software-hence why these known exploits
 are still so successful.
 
Unknown exploits, or zero-days, are used on vulnerabilities that have not yet
been reported to the general public. This means that cybercriminals have either
 spotted the flaw before the developers noticed it, or they've created an
exploit before developers get a chance to fix the flaw. In some cases,
developers may not even find the vulnerability in their program that led to an
exploit for months, if not years! Zero-days are particularly dangerous because
even if users have their software fully updated, they can still be exploited,
and their security can be breached.
 
Biggest exploit offenders
 
The three exploit kits most active in the wild right now are named RIG,
Neutrino, and Magnitude. RIG remains the most popular kit, and it's being used
in both malvertising and website compromising campaigns to infect people's
machines with ransomware. Neutrino is a Russian-made kit that's been used in
malvertising campaigns against top publishers, and it preys on Java
vulnerabilities (also to deliver ransomware). Magnitude is using malvertising
to launch its attacks as well, though it's strictly focused on countries in
Asia.
 
Two lesser-known exploit campaigns, Pseudo-Darkleech and EITest, are currently
the most popular redirection vehicles using compromised websites. These
offenders inject code into sites such as WordPress, Joomla, or Drupal, and
automatically redirect visitors to an exploit kit landing page.
 
As with all forms of cyberthreats, exploits, their methods of delivery, and the
 malware they drop are constantly evolving. It's a good idea to stay on top of
the most common forms to make sure the programs they target are patched on your
 computer.
 
Current exploit kit landscape
 
Right now, the exploit scene is pretty bleak, which is a good thing for those
in the security industry and, essentially, for anyone using a computer. This is
 because in June 2016, Angler, a sophisticated exploit kit that was responsible
 for nearly 60 percent of all exploit attacks the year before, was shut down.
There hasn't been any other exploit kit that's built up the same level of
market share since.
 
Threat actors have been a bit gun shy about running back to exploit kits, for
fear of another Angler takedown. Once Angler was dismantled, cybercriminals
turned their focus back to some more traditional forms of attack, including
phishing and emails with malicious attachments (malspam). But rest assured,
they'll be back once a new, more reliable exploit kit proves effective in the
black market.
 
How to protect against exploits
 
The instinct may be to take little to no action to protect against exploits,
since there's not a lot of exploit-related cybercriminal activity right now.
But that would be like choosing not to lock your doors since there hasn't been
a robbery in your neighborhood in a year. A couple of simple security practices
 can help you stay ahead of the game.
 
First, make sure you keep your software programs, plugins, and operating
systems updated at all times. This is done by simply following instructions
when reminded by those programs that updates are ready. You can also check
settings from time to time to see if there are patch notifications that may
have fallen off your radar.
 
Second, invest in cybersecurity that protects against both known and unknown
exploits. Several next-generation cybersecurity companies, including
Malwarebytes, have started integrating anti-exploit technology into their
products.
 
So you can either kick back and pray that we've seen the last of exploits. Or,
you can keep your shields up by consistently updating your programs and
operating systems, and using top-notch anti-exploit security programs. The
smart money says exploits will be back. And when they return, you won't have a
weak heel to expose to them.
 
 
Regards,
 
Roger

--- DB 3.99 + W10 (1607)
 * Origin: NCS BBS - Houma, LoUiSiAna (1:3828/7)