“Zombifying” cyber-attack could affect +50 million users

More than 50 million people per month could be at risk of a mass-scale ‘malvertising’ cyber-attack that turns computers into Zombies, according to researchers at Websense. The attack routes through advertising platforms to target popular websites, with researchers noting breaches on Bejewelled Blitz on Facebook, CNN Indonesia, the official websites of Prague Airport and RTL Television Croatia, as well as Detik and AASTOCKS.

It was discovered that the attack utilises open advertising platform OpenX, which sees up to 100 billion impressions per month, to compromise and inject malicious code which is spread to multiple websites. The injected code leads to a redirect which has been seen to lead to the highly prevalent Angler Exploit Kit, which exploited the latest Adobe Flash Player vulnerability (CVE-2015-3090), distributed CryptoWall 3.0, Bedep and Necurs, as well as a Trojan known as ‘Bunitu.’ The Bunitu malware dropped by Angler ‘Zombifies’ computers, by causing infected machines to act as a proxy. This enables it to be used for subsequent malicious activity and allows cybercriminals to hide behind legitimate users’ machines to avoid detection by the authorities.

Carl Leonard, principal security analyst at Raytheon|Websense, said: “Advertising networks are an increasingly popular focus for cybercriminals, as they open up avenues to infect millions of users with minimal effort. The growing nature of evasion, stealth and variation employed in the malicious code means that it’s more important now than ever to deploy a security solution capable of stopping threats at multiple points in the kill chain.”

Commenting on this, Lancope CTO, TK Keanini, said:

“I think this quote from Websense says it all, and let me call out a few things here to highlight the salient points.

These methods are popular for cybercrime because they require minimal effort, which means lowering their operational costs.  We, in turn, need to ensure that we are doing everything thing to raise their operating costs.  Business leaders understand these economics, and until we treat this as a business problem, cyber crime will continue to operate at a low cost and high profit meaning their business is growing and they are expanding.

He also says that we need to do everything to stop their operations along the kill chain.  This kill chain terminology limits us in our discussion, and I prefer to call it the attack continuum because then we can, in the same thought process, speak about a defence continuum which describes perfectly the strategy we must instrument and operate.  The defence continuum captures the defender’s tactics, techniques and procedures that raise to the cost to the attacker’s operation and objectives.”