• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Exploit Kits for All

By Andrea Kaiser
Posted on March 2, 2016
Updated on March 4, 2020

Share

FacebookTweetLinkedIn

Cybercriminals have many different tactics to attempt to gain control of your computer or steal your personal information. One way is through exploit kits (EKs). Attackers write EKs to run on web applications to exploit specific vulnerabilities in software that can allow them to compromise your system. An EK can hide within a website’s code. To the visitor, it is invisible.
Whether a vulnerability has been around for months or it is a zero-day exploit, the attacker is counting on you to put off updating that vulnerable web browser or plugin. They’re counting on you clicking “remind me later,” every time you’re prompted to install an update.
Although it causes all sorts of security problems, “remind me later” really is a necessity. You don’t always want to update to the latest software version. Updating one software version sometimes breaks another piece of crucial software. So, you defer and continue pushing off the update until everything is compatible. Then there’s the inconvenience. Wait for an installation and then a reboot in the middle of a work day? Never. Gonna. Happen.
The attackers know these systems are out there, unpatched against the latest vulnerabilities. How do attackers find a computer to exploit? Spam and phishing are a common strategy. You know when you receive that email with all of the empty promises of a bad infomercial?
“Click here for singles in your area that want to meet you!”
“Click here to lose weight instantly. The new mouse clicking exercise routine awaits!”

Once you click a link from a phishing email, your browser is likely directed to a compromised website hosting an EK, ready to take advantage of your out-of-date browser or plugins. One of the most widely used EKs at the moment is Angler. Throughout 2015, Angler was seen to exploit mainly Flash, Internet Explorer, and Silverlight based Common Vulnerabilities and Exposures (CVEs) [1].
Phishing sites aren’t the only sources for exploit kits. It could be a seemingly innocuous website that you visit regularly, like your banking site. One technique used on compromised websites is to modify the website’s HTML code to load a malicious Flash file from yet another compromised site. Flash then issues the HTTP POST request. The response to POST will redirect the visitor to another website.
When the landing page for the EK is reached, it will decide which exploit it can deploy based on browser and plugin information gathered from the visitor. The goal here is a drive-by download. If the computer is able to be exploited, the payload (malware) is downloaded. The payload is executed and post-infection communication to command and control (C&C) servers begins.
Payloads vary; the most prevalent being ransomware variants and infostealers. Ransomware, such as Teslacrypt [2], encrypts specific file types on your computer so that you are no longer able to access them and offers to decrypt them for you after receiving payment.

TC Callback
TeslaCrypt callback traffic; compromised domains.

A Trojan infostealer, such as Dridex [3], is able to collect screenshots while you use your computer, grab information entered into forms from specific sites you visit, and redirect to false banking sites.

Dridex XML
Dridex XML configuration, showing which URLs to use to capture form submissions.

Of course, the goal of exploitation isn’t always to steal your personal information. The aim could be to keep infecting more computers, leaving a backdoor for remote access communication and enlisting computers into a zombie botnet. Botnets are computers that can be issued commands from a C&C server and are used for spamming, or DDoS attacks.
Let’s not forget the vigilantes. There are rumors of vigilante white/gray hats taking over the Dridex botnet to send out payloads of popular antivirus software. The AV cleans the machine of all known malware in its definitions and then releases control. The anti-malware-malware.
To keep up to date on the latest CVEs, sign up with US-CERT to receive alerts on exploits and zero-days. Another good resource is the Offensive Security Exploit Database. Give the database a search before you add that new plugin to your WordPress site. Speaking of WordPress, the Exploit Database currently has 857 archived exploits regarding the publishing application. If you’re running WordPress, it’s imperative that you keep it up to date. The majority of the EKs that researchers find are hosted on compromised WordPress sites [4].
Be sure to always update your OS, web browsers, and plugins with the latest patches. You can use Umbrella, OpenDNS’s flagship enterprise security product and have access to a dashboard that provides centralized visibility and control over all of your organization’s offices and users, no matter where they operate. And with Investigate, you’re able to pivot through an attacker’s infrastructure to detect or respond to threats.
Investigate TeslaCrypt
[domain that OpenDNS has blocked for being associated with TeslaCrypt]
 
Of course, you could always keep hoping for some of that anti-malware-malware to drop on your systems.
antivirusmeme

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella