This Week in Security: No Exploit Needed

Malvertising Consortium Uncovered

Researchers at Confiant have uncovered a massive malvertising network that served up 1 billion ad impressions affecting 62% of ad-monetized websites. The malicious ads redirect users to a variety of fraudulent pages including fake tech support pages, malicious Flash player updates, and fake antivirus alerts. These webpages trick the user into calling up a random phone number and providing their credit card or downloading a malicious executable.

The attack vector isn’t new but it’s starting to pick up tricks from exploit kits by fingerprinting the browser session to determine if it’s a real user, bot, or virtual machine. Evading bots and virtual machines serves two purposes: to avoid getting caught by security researchers and not wasting an ad impression.

The interesting part of this massive malvertising network is the use of shell corporations, fake LinkedIn personas, and social media presence. If anything, this consortium has all the hallmarks of an advanced cyber campaign. Unfortunately, legitimate modern-day advertising networks are indistinguishable from exploit kit networks.

Protect yourself by keeping your operating system, browser, and antivirus updated.

Fire & Fury

All the buzz about Michael Wolff’s new book, Fire & Fury, have made it an enticing lure for users looking to acquire a copy through less than legal means. Researchers found that a truncated PDF of the book was being distributed along with a backdoor, allowing an unidentified actor to take control over the victim’s computer.

Developing new exploits is hard. Creating new lures to entice users into downloading and opening a file is easy. It’s only a matter of time until the bad guys start attaching malware to Tide PODS memes - too bad it won’t leave your computer in a clean state.

Those files you acquire through unscrupulous websites or peer-to-peer networks don’t exactly have the provenance of being safe. Just don’t do it.

The Sky is Falling

Earlier this week, the Skyfall and Solace attacks were revealed to be a hoax. The author claims it was a social experiment to determine how the Internet would react to new named vulnerabilities seeded by a couple of tweets and comments.

The original page (now removed) attempted to build upon the hype of Meltdown and Spectre by pre-announcing a new pair of vulnerabilities named Skyfall and Solace. The names are a play on the Daniel Craig series of Bond movies to hint at vulnerabilities in Intel’s Skylake and Oracle’s Solaris.

We get it: named vulnerabilities suck, but this was a bad hoax that did nothing more than add more unnecessary noise in an already chaotic situation involving speculative execution side-channel attacks.

If the security of your network falls apart when faced against a zero-day exploit, there was no security to begin with and it’s time to rethink your security architecture.