With ransomware attacks on the rise, most of the focus is on the importance of a robust backup strategy and whether or not to pay the ransom. But this is also a good time to double down on the security basics since having a proper patch management strategy can make a difference.
Over the past few months, several popular exploit kits have incorporated ransomware into their attacks. These kits rely heavily on vulnerabilities in Adobe Flash and Microsoft Silverlight to deliver ransomware such as Cryptowall, AlphaCrypt, and TeslaCrypt, according to a recent Recorded Future analysis. The researchers found that three recently patched flaws in Flash and one in Silverlight are “key in-roads” for Angler, Neutrino, and Nuclear exploit kits to infect victims with ransomware.
“Patching recent vulnerabilities can significantly blunt the impact of ransomware delivered by exploit kits,” wrote Recorded Future's Scott Donnelly.
Recorded Future found that Angler began targeting a remote code execution flaw in Silverlight (CVE-2016-0034) to drop TeslaCrypt on user systems back in February. Microsoft patched the critical Silverlight vulnerability as part of its January security release, and at the time noted it was under “limited attack.” It took only a few weeks for the flaw to be added to Angler and used in broader attacks.
Adobe patched both Flash Player’s heap buffer overflow vulnerability (CVE-2015-8446) and integer overflow vulnerability (CVE-2015-8951) back in December, and the type confusion vulnerability (CVE-2015-7645) in October. The integer overflow and type confusion bugs were under “limited, targeted attacks,” Adobe said at the time. The Flash flaw updated in October has been linked to the Pawn Storm cyber espionage campaign targeting foreign affairs ministries.
Angler, Neutrino, Magnitude, RIG, and Nuclear exploit kits have incorporated at least one of the above-named Flash vulnerabilities. So far, Angler appears to be the only one targeting all three, Recorded Future said.
Several municipal medical and police computer systems have been targeted by ransomware in North America and Europe over the past few months. “Poor patching and overwhelmingly disappointing security hygiene put local public safety and government computer systems at risk,” Donnelly said.
Don’t let the bad guys in
Exploit kits rely on outdated and vulnerable versions of software to launch drive-by-download attacks. Victims don’t need to click on anything to download the malware -- the exploit kit on the website probes the system to identify vulnerable software and launches the appropriate exploit.
These attacks succeed because there is a lag time between when security updates are released and when the updates are applied. The kits don’t need to resort to zero-days because the window of opportunity is sufficiently wide and the number of victims large enough. Some of the more advanced exploit kits, such as Angler, are very prompt about incorporating exploits and frequently have new exploits within weeks, if not days, of a vulnerability being publicized.
Angler has also been behind several recent malvertising ransomware campaigns, where malicious ads displayed on legitimate sites (such as MSN and multiple media outlets) redirect users to sites serving up exploit kits. Keeping the operating system up to date and staying on top of patches for popular software such as Web browsers, Flash Player, Silverlight, and Java prevents exploit kits from executing drive-by download attacks or malvertising campaigns from succeeding.
There are several good business reasons for delays in applying patches. Downtime can be a problem, and each patch has to be tested to make sure it is compatible with other installed applications. All of this is time-consuming, and IT teams have to prioritize which ones to deploy first.
“Patching vulnerabilities has real business impact because patching may cause downtime and incompatibility. Prioritizing patches is therefore essential to a successful patch management program,” Donnelly said.
Patches to prioritize
Recorded Future recommended patching the three Flash vulnerabilities as well as Silverlight right away, along with eight other Flash flaws heavily used by exploit kits in 2015. Though it was patched in February 2015, the use-after-free vulnerability in Flash (CVE-2015-0313) was the most frequently used flaw by exploit kits in 2015. The third- and fifth-most-used Flash flaws were immediately added to exploit kits after the attack against Hacking Team and the resulting leak of Flash zero-days (CVE-2015-5119, CVE-2015-5122). Ensuring Flash player is up to date ensures exploit kits can’t exploit the remaining flaws (CVE-2015-0359, CVE-2015-3113, CVE-2015-0311, CVE-2015-3090, CVE-2015-0336) to deliver their payloads.
Uninstalling rarely used software is a good idea, as it reduces the attack surface. But for many enterprises that still rely on popular software such as Flash, Java, and Silverlight, that isn’t an option. They need to update frequently to stay ahead of the exploit kits.
Ransomware utilizes many different attack vectors, including spam messages with malicious attachments, phishing emails with suspicious links, and websites offering booby-trapped files for download. Exploit kits happen to be only one method. Stay on top of patches, and reduce the danger of a ransomware infection. That’s one fewer scenario where the enterprise has to deal with an extortion demand.