Cisco: Blackhole arrest cuts exploit-kit traffic, but don't let your guard down

Exploit kits of cybercrime tools fell into a big slump in the first half of this year after Russian authorities nabbed the alleged creator of the popular Blackhole kit, but users aren’t necessarily safer.

Blackhole so dominated the shadowy market for exploit kits, or bundles of code for taking advantage of known software vulnerabilities, that the number of URL requests associated with exploit kits fell by 87 percent in the first half, according to the Cisco 2014 Midyear Security Report. The report was released on Tuesday during the Black Hat security conference in Las Vegas.

+ ALSO ON NETWORK WORLD Follow everything that comes out of Black Hat +

The report, which combines findings from Jan. 1 through June 30 by various security divisions of Cisco Systems, painted a fairly grim picture overall: One statistic, based on observations of 16 enterprise networks, showed that nearly 94 percent of them had Web traffic go to malware sites, the company said. The company’s annual security report last December found that 100 percent of observed enterprises—30 enterprises, in that case—had malware traffic. The report also found a marked increase in attacks against media companies.

Blackhole was linked to numerous cyber attacks until its alleged author, who used the nickname Paunch, was arrested last October. There were many exploit kits based on Blackhole, but activity around those has died down since Paunch’s arrest. In the meantime, many different kits have been vying for hackers’ attention, said Levi Gundert, a technical team leader at Cisco. Exploit-kit creators compete much like makers of any product do, on features (such as how many exploits are included) and customer service, he said.

“There will be a new market leader in the underground,” Gundert said. “I think it’s just a matter of time before another Blackhole ... emerges and claims dominance.”

For the midyear report, Cisco’s SourceFire Vulnerability Research Team (VRT) analyzed URL requests on the Internet to determine if the code that generated them came from a known exploit kit. The sharp decline in exploit kit identifications may not mean less malware is out there, Gundert warned. For one thing, some kits are harder to recognize than others. For example, the Sweet Orange kit uses a new pattern every day to create URLs for the rogue pages where it sends victims. “It’s very difficult to track from the typical indicators we’ve used in the past,” he said.

Web users frequently get redirected to malware sites by code built into online display ads, which can hijack a browser even if the user never clicks on the malicious ad, Gundert said. Often, the bad site appears briefly as a blank white page. But in the meantime, it will load malware on the user’s system that can do just about anything if the computer doesn’t have up-to-date protections installed, he said.

Between 5 percent and 10 percent of all enterprise Web traffic involves so-called malvertising, judging by results from Cisco’s CWS (Cloud Web Security) service. CWS analyzes all Web requests from customers around the world who want their traffic monitored for security reasons. CWS looked at 2 billion to 3 billion Web requests, Gundert said.

“This stuff is just rampant,” he said. Purveyors of malicious ads buy their way onto legitimate sites through the same exchanges that distribute ordinary ads, paying to have their spots appear every few times the page is shown to a user, Gundert said. The exchanges try to prevent this, but it’s hard because there’s nothing malicious about the ads themselves, just the URLs that they send visitors to.

“What the evidence shows to date is, they have not been very successful in doing that,” he said.

When hackers look for ways to attack, they usually go after Java, especially older versions of the architecture. Of all the indicators that computers had been compromised in the first half of the year, 93 percent pointed to a Java vulnerability, Cisco found. That was up from 91 percent in the previous six months.

Java is the target of choice because so many consumers and businesses use it, especially in browsers, and most don’t update it when they need to, Gundert said. Those who do will get redirected to malicious sites just like anyone else, but their systems won’t be compromised.

While updating Java is easy for consumers as long as they notice alerts of new versions, it can be more complicated for enterprises, Gundert said. They may have built complex and critical applications based on Java and can’t quickly modify that code to run on the new version. It may take six months just to draft a migration plan, while more Java updates in response to new threats are likely to come in the meantime, he said. To help mitigate the dangers, Gundert advised enterprises to closely watch the Web traffic exiting their networks for evidence of exploitation.


Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022