Malvertising has been back in the news recently.
This is no surprise to us here at Bromium, check out the report we issued on malvertising via YouTube last year.
In our paper we concluded that ad networks could be leveraged by, or even replace attack kits to target organizations and effectively distribute malware by the bad guys. Unfortunately this appears to be coming true. The question is what impact will this trend have on our organizations?
The answer is that this trend has the potential to have a tremendous negative impact on our security. Why? Because malvertising often powers drive by downloads that can compromise a system without ever requiring the user to do anything but visit a popular, legitimate web site that is unwittingly part of a malvertising network.
Let’s face it, we have all been focused on spear phishing attacks that have factored into so many successful breaches in recent years, and that is one reason this new attack channel is so dangerous. Conventional wisdom is that if you filter your users from accessing obscure, “uncategorized” or unknown web sites, or sites with poor “web reputation” scores with a web gateway that you will be safe from drive by attacks.
Malvertising effectively bypasses web filters, after all, who is going to black list YouTube or many of the popular news sites we have been seeing delivering malvertising payloads? These sites are selected by the attackers to have pristine web reputations and bypass current defenses.
Malvertising is a very effective delivery channel for targeted waterhole attacks as well. The image included is a snippet of a Bromium LAVA trace we received from a customer earlier this year showing delivery and isolation of a very nasty Bootkit from an IT support oriented web site via a malvertisement. Very nasty indeed, undetectable by AV engines (we tested it against AV comparatives with no hits) and targeted at the right people in the organization if your goal is to establish a privileged beach head in an organization.
So malvertising really does matter if you are concerned with security. I am sure we will be hearing and seeing more on this topic as the future unfolds….