sb-au logo
Story image

How a Microsoft Edge hole spread 'malvertising' & stayed off the radar

15 Sep 2016

Proofpoint and Trend Micro have discovered a large-scale 'malvertising' campaign, enacted by threat actors known as AdGholas.

AdGholas has extensively used steganography and malicious ads for 'high-quality impressions', which hit 1-5 million users per day and avoided detection by researchers.

One way that the malvertising avoided researchers was by using an information disclosure zero-day in Microsoft Edge and Internet Explorer. Researchers were using virtual machines and sandboxes.

Microsoft patched the CVE-2016-3351 vulnerability two days ago, however the bug has been known since 2015.

Proofpoint described the vulnerability as a MIME type check that could filter out specific shell extension associations, such as .py, .pcap and .saz. Occasionally it could use popular Word document and torrent files extensions such as .doc, .mkv, .torrent and .skype to trigger the next exploitation process.

The vulnerability allowed AdGholas avoid detection while running a long-running advertising campaign through non-critical bugs and low-level vulnerabilities that the companies can go unpatched for months, or even years.

"Threat actors have previously used techniques to more effectively target end-users, from emails oriented to a specific industry to active infiltration of single entities via APTs. But using an information disclosure zero-day specifically to evade vendors' and researchers' detection of malvertising and exploit kit activity suggests attackers are increasingly concerned about defenders' effectiveness," says Kevin Epstein, vice president of threat operations at Proofpoint.

The onus is as much on software vendors as threat actors, researchers and enterprises, Proofpoint says.

"It isn't just execution zero-days that matter. Threat actors are clearly realising value from even information disclosure and other deprecated vulnerabilities that vendors may be slower to fix, and users even slower to patch," Epstein continues.

Proofpoint strongly advises that software vendors keep releasing patch updates, while users and organisations need to 'rethink patching prioritisations'. The company says researchers also need to look to new places and methods for detecting malicious activity.

Read more about AdGholas and the CVE-2016-3351 vulnerability here

Story image
Plugging the gaps: Australian organisations are leaving their defence barriers wide open
Cybercriminals are are walking through the gaping holes in Australia’s organisational defences – gaps that leadership teams don’t even realise are there.More
Link image
Why the e-commerce sector requires understanding of metrics
CTO's of e-commerce companies need to prioritise quality gathering and analysis of large volumes of data.More
Story image
Why securing IoT installations will be ‘do or die’ in post-pandemic Australia
Unless IoT technology is visible on the network, organisations will find themselves at risk with an unmanageable high-tech morass, warns ExtraHop A/NZ regional sales manager Glen Maloney.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Story image
Remote staff overestimating knowledge of cybersecurity basics
‘Unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.More
Story image
Fast track your digital transformation with dynamic security services from Fortinet
Jon McGettigan, Fortinet A/NZ Regional Director, explains how enterprises can speed up their network service delivery programmes by embracing Fortinet’s dynamic security services.More