For the gang of hackers behind it, it was like manna from heaven: A practically foolproof method of hijacking fans of some of the biggest news sites in the world and installing malware, ransomware, key-loggers, and a host of other exploits, that are extremely difficult for even the best security software to discover. How many victims of the Stegano exploit fell into the clutches of hackers we'll probably never know, but the “poison pixel” ads that hackers used to rope in victims are still out on the web, according to many security experts.
Stegano, which has been around since at least 2014, came into new prominence in recent months when it was used to cleverly hijack readers of “popular news sites,” according to ESET Research, which first published details of the exploit. Hackers used ad networks to distribute their malicious scripts to run an exploit via the image's invisible alpha channel. The exploit – which did not substantially change the banner ad at all, making it almost impossible for a user to detect that anything was wrong – checked to see if any security software, sandboxes, etc were present – and if they were not, the exploit would redirect to a page that downloaded a payload and use regsvr32.exe or rundll32.exe to install it. According to ESET, “payloads detected so far include backdoors, banking Trojans, spyware, file-stealers and various trojan downloaders.” The exploit also worked automatically; the mere presence of the served banner ad on a page was enough to activate the exploit and subsequent payload installation, without the need to click on anything.
It sounds like an incredible, unbelievable story – until one examines the details of the perpetrators. The Stegano campaign was just the latest tactic of the cyber-crooks behind the AdGholas campaign, which for years has been exploiting web ad networks by serving up exploit-laden ads. First outed by Proofpoint in mid-2016, AdGholas hackers have been using exploit kits for years to corrupt banner ads served up by ad networks who are helpless and unable to prevent such activities. The hackers act like real advertisers and create an account on the ad exchange, and target specific groups (locations, IP address groups, browsers etc) with their versions of the same ads served by the network. Using this method, AdGholas was able to rope in as many as a million users a day – and the latest Stegano-based iteration of their campaign is a definite step up in sophistication and effectiveness, according to ESET.
The AdGholas/Stegano exploits are an example of “malvertising,” but the problem goes far beyond “bad ads.” Malvertising is just one vehicle hackers can take advantage of when using remotely-called third-party scripts, the scripts that web site owners rely on to be a part of the World Wide Web. Without these scripts that provide a slew of essential services - like social media, comment services, advertising, content distribution, site analytics, and much more – the web as we know it would not be possible. Banner ad hijacking is perhaps the least of the issues: Other exploits based on XSS vulnerabilities could be used to steal credit card data or hijack shopping sessions, they can be used to replace content on a site with malicious files, or install a keylogger to steal authentication information from banks and e-commerce sites.
The truth is that many of these vulnerabilities are well known among not only cyber-criminals, but cyber-security experts as well – yet they persist. According to industry statistics, about 85 percent of hacks on sites come from third-party servers, and victims only find out about them on average 87 days later – and there seems to be no end in sight. Why hasn't a solution been found yet? I believe it's because companies have been concentrating their efforts on detecting these attacks – instead of trying to prevent them in the first place.
That may sound strange – of course preventing a threat from hitting a site would be preferable to rooting it out once it's there – but the reality of the web business often dictates the way site administrators have to work. In a sense, administrators are hostages to the system. In fact, such scripts can be directly targeted to specific groups and users, and a script served to a site administrator might be very different than what a user will get. There's no way for them to check on the integrity of the scripts being sent to their sites – except via a code review, which, if a site administrator is to get any work accomplished, cannot be done on a daily basis. And even if they could somehow evaluate the scripts they are sent – would they have the time and ability to check on remote scripts that those scripts call, a not uncommon scenario today?
The answer, it seems to me, lies in building an invulnerable wall around a web site, instead of trying to solve the security problems of script providers. One way to do this is to utilise a virtual web environment – a sort of “next generation sandbox” - where scripts can execute, along with an intelligent security monitoring system that examines what they do. If an ad network serves up a banner ad, for example, the ad could appear on a “web page” that contains only what they are "allowed" to see – a virtual page that is there to allow the script to run but is completely separated from the main page. If it behaves properly, the executed code – ie the banner ad – is allowed to proceed and show up on the “real” web page. If it tries anything untoward, it's allowed to proceed – on the virtual page, where there is nothing for it to exploit. The same for any other script, from those that deliver malicious content to the ones that try to install keyloggers.
Thus, the equation is flipped; instead of the impossible task of having to defend against dozens or even hundreds of scripts and/or supervising them, getting past the virtual web pages is now the problem of hackers. With such a system installed, administrators can enjoy all the fruits of the web, supplying the services their users have come to expect, and that they need to be a part of today's web – but without the headache and the hassle. This, I believe, is where the industry is heading, and the sooner it gets there, the better for all of us.
Contributed by Hadar Blutrich, CEO, Source Defense
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.