Story image

How a Microsoft Edge hole spread 'malvertising' & stayed off the radar

15 Sep 16

Proofpoint and Trend Micro have discovered a large-scale 'malvertising' campaign, enacted by threat actors known as AdGholas.

AdGholas has extensively used steganography and malicious ads for 'high-quality impressions', which hit 1-5 million users per day and avoided detection by researchers.

One way that the malvertising avoided researchers was by using an information disclosure zero-day in Microsoft Edge and Internet Explorer. Researchers were using virtual machines and sandboxes.

Microsoft patched the CVE-2016-3351 vulnerability two days ago, however the bug has been known since 2015.

Proofpoint described the vulnerability as a MIME type check that could filter out specific shell extension associations, such as .py, .pcap and .saz. Occasionally it could use popular Word document and torrent files extensions such as .doc, .mkv, .torrent and .skype to trigger the next exploitation process.

The vulnerability allowed AdGholas avoid detection while running a long-running advertising campaign through non-critical bugs and low-level vulnerabilities that the companies can go unpatched for months, or even years.

"Threat actors have previously used techniques to more effectively target end-users, from emails oriented to a specific industry to active infiltration of single entities via APTs. But using an information disclosure zero-day specifically to evade vendors' and researchers' detection of malvertising and exploit kit activity suggests attackers are increasingly concerned about defenders' effectiveness," says Kevin Epstein, vice president of threat operations at Proofpoint.

The onus is as much on software vendors as threat actors, researchers and enterprises, Proofpoint says.

"It isn't just execution zero-days that matter. Threat actors are clearly realising value from even information disclosure and other deprecated vulnerabilities that vendors may be slower to fix, and users even slower to patch," Epstein continues.

Proofpoint strongly advises that software vendors keep releasing patch updates, while users and organisations need to 'rethink patching prioritisations'. The company says researchers also need to look to new places and methods for detecting malicious activity.

Read more about AdGholas and the CVE-2016-3351 vulnerability here

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.