Yesterday, the FOX-IT Security Operations centre started to see an increase of exploit kit related incidents. The incidents originated from a large malvertising campaign hitting the Netherlands. The list of affected websites spreads across most of the popular Dutch sites, with at least 288 websites being affected. Paul Fletcher, cyber security evangelist at Alert Logic told @DFMag;
“Advertising networks/brokers can only do so much, because the biggest problem with malvertising has more to do with browser and plug-in settings. Delivering dynamic content to every browser (and version level) and a variety of plug-ins (like Java or Flash) and their version level is a difficult task. Malicious attackers know that browser and plug-in security is more of a “user” responsibility and “users” act differently to pop-ads etc. Advertising networks/brokers could do more to protect their customers, however each “user” would need to help fix this issue. The advertising network/brokers could build in browser and plug-in intelligence into their code and NOT run if the browser and plug-in settings don’t meet a certain standard, however the way to fix the problem is to prompt the user to update their settings (which is counter to good user behaviour…clicking on a link to “update” plugins) or NOT deliver the marketing content (which is counter to ads in the first place).
Malvertising is still a problem because of possible zero day threats to browser-based plug-ins. Also, most end users don’t update their browsers and plug-ins in a timely manner. Organisations should maintain a minimum baseline for browser versions and plug-ins, have a process to identify and remediate “out of compliance” browsers and include browser and plug-in settings in their Patch Management system.
Advertising networks/brokers could try to enforce a “minimum” version level for browsers and plug-ins, but that is a difficult task that is dynamically changing. Users can disable plug-ins (but probably won’t because it causes a disruption to their web browsing experience) and be willing to use other browsers with the proper updates (again, that changes the web browsing experience and takes time and effort on the users part). Finally, users can use browsers that currently support “sandboxing” technology, like Google Chrome, Internet Explorer and Microsoft Edge.”
Fraser Kyne, regional SE director at Bromium had the following further comments;
“Malvertising is highly effective because cyber criminals can target their attacks to specific demographics and deliver them with tremendous volume. The online advertising model is such that ad networks simply cannot verify the validity of each and every advertisement it serves, which ultimately passes the cost of security onto security teams. In order to prevent malvertisements, and other endpoint attacks, organisations should invest in strong endpoint protection. Most traditional endpoint protection solutions are failing because they rely on detection, which allow many attacks to succeed. Instead, organisations should investigate proactive protection, in the form of prevention, such as endpoint threat isolation or virtualization based security. Additionally, ad-blocking browser extensions can be a highly effective way of mitigating malvertising attacks.”