Major Malvertising Campaign Goes Undetected

This week, we hear about a malvertising campaign that went undetected for three weeks and the discovery of the SYNful Knock router implant, affecting Cisco routers

Malware

Major Malvertising Campaign Goes Undetected 

On September 14, 2015, security researchers from Malwarebytes discovered a malvertising campaign affecting several major companies including eBay, Drudge Report, and Answers.com, in which attackers were able to redirect victims to malware-serving Web sites containing the Angler Exploit Kit (EK) by loading ads through a rogue ad server.  The campaign went undetected for three weeks and apparently targeted victims with a vulnerability in Internet Explorer (CVE-2015-2419) and a flaw in Adobe Flash Player (CVE-2015-5560).

In the latest attack, the attackers leveraged several top advertising networks. They posed as legitimate advertisers, submitting their ads through the Real Time Bidding Process. When the ads are followed, ANGLER Exploit Kits on rogue advertising sites convert incoming web traffic into compromised machines.  

Despite the increased scrutiny of malvertising and ad networks, there is an upward trend in malvertising campaigns of using stealthier, more advanced tactics in conjunction with exploit kits to increase the probability of a successful compromise.

References: SecurityWeek Article | SCMagazine Article

Mitigation Strategies:

  • Utilize log management to detect any suspicious user account activity
  • Keep operating system, browsers, browser plugins, and applications up-to-date

Malware

New Variant of Carbanak Trojan Discovered

SYNful Knock router implant is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco Systems IOS software image.  Security firm FireEye describes the implant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device. 

SYNful Knock is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password.  By sending only the out-of-sequence TCP packet—but not the password—to every Internet address and monitoring the response, researchers are able to detect which ones were infected by the backdoor.

According to the vendor and industry reporting, the attackers exploited routers by using factory default or commonly used passwords possibly obtained from previous reconnaissance or intrusion activities. 

Typically, routers operate outside the defensive perimeter established by security devices, making them lucrative targets for the installation of backdoors.  If an attacker can gain access to the router, they can monitor inbound and outbound traffic of the targeted organization or be used a launching pad to pivot within the network to compromise other sensitive hardware or exfiltrate proprietary data.  

References: Ars Technica Article | Snort.org Advisory 

Mitigation Strategies:

  • Anomaly detection can detect abnormal connections involving Cisco routers
  • Intrusion detection system (IDS) signatures can be used to detect and block attacking hosts.
  • Reimage infected routers with a known clean download from Cisco Systems

Top 20 IP Addresses

50.112.9.154  ***new*** 178.137.162.183 ***new***
84.245.33.104 ***new*** 204.93.197.45  ***new***
78.129.243.85 54.217.247.24 ***new***
82.221.128.206 202.124.109.87   ***new***
106.51.238.74   ***new*** 128.74.88.224 ***new***
82.208.46.3  ***new*** 216.185.52.38   ***new***
62.141.37.230   ***new***

195.210.46.98

178.137.91.250   ***new*** 117.21.176.36
209.15.196.171   ***new*** 79.141.165.44 ***new***
107.191.125.250 ***new*** 216.249.104.194  ***new***