sb-as logo
Story image

How a Microsoft Edge hole spread 'malvertising' & stayed off the radar

15 Sep 2016

Proofpoint and Trend Micro have discovered a large-scale 'malvertising' campaign, enacted by threat actors known as AdGholas.

AdGholas has extensively used steganography and malicious ads for 'high-quality impressions', which hit 1-5 million users per day and avoided detection by researchers.

One way that the malvertising avoided researchers was by using an information disclosure zero-day in Microsoft Edge and Internet Explorer. Researchers were using virtual machines and sandboxes.

Microsoft patched the CVE-2016-3351 vulnerability two days ago, however the bug has been known since 2015.

Proofpoint described the vulnerability as a MIME type check that could filter out specific shell extension associations, such as .py, .pcap and .saz. Occasionally it could use popular Word document and torrent files extensions such as .doc, .mkv, .torrent and .skype to trigger the next exploitation process.

The vulnerability allowed AdGholas avoid detection while running a long-running advertising campaign through non-critical bugs and low-level vulnerabilities that the companies can go unpatched for months, or even years.

"Threat actors have previously used techniques to more effectively target end-users, from emails oriented to a specific industry to active infiltration of single entities via APTs. But using an information disclosure zero-day specifically to evade vendors' and researchers' detection of malvertising and exploit kit activity suggests attackers are increasingly concerned about defenders' effectiveness," says Kevin Epstein, vice president of threat operations at Proofpoint.

The onus is as much on software vendors as threat actors, researchers and enterprises, Proofpoint says.

"It isn't just execution zero-days that matter. Threat actors are clearly realising value from even information disclosure and other deprecated vulnerabilities that vendors may be slower to fix, and users even slower to patch," Epstein continues.

Proofpoint strongly advises that software vendors keep releasing patch updates, while users and organisations need to 'rethink patching prioritisations'. The company says researchers also need to look to new places and methods for detecting malicious activity.

Read more about AdGholas and the CVE-2016-3351 vulnerability here

Story image
Revealed: Imperva publishes research on decade old botnet, responsible for millions of attacks
Imperva Research Labs has revealed findings of a six-month intensive investigation into a botnet that has been exploiting CMS vulnerabilities.More
Story image
Palo Alto Networks launches new SD-WAN solutions and enhancements
Palo Alto Networks has introduced two new SD-WAN appliances and enhancements to its next-generation SD-WAN solution, expanding the company’s CloudGenix SD-WAN solutions reach.More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Businesses left to make decisions based on old, inaccurate data, study finds
"It is more critical than ever that organisations have access to actionable, contextualised, near real-time threat data to power the network and application security tools they use to detect and block malicious actors."More
Story image
Report reveals relationship between boardroom and cybersecurity investments
“While boards are definitely listening and stepping up with increased budget for cybersecurity, they tend to view any investment as a cost rather than adding business value."More
Story image
Surfshark rolls out WireGuard open source VPN protocol
When there is less code in a VPN, it is less susceptible to security vulnerabilities due to easier configuration and management, according to Surfshark.More