RIG Exploit Kit Starts Using IE Zero-Day Flaw Patched in May

The latest version of the RIG exploit kit, a tool used by cybercriminals to launch large-scale drive-by download attacks, is exploiting an Internet Explorer vulnerability that was patched by Microsoft last month after being found in targeted cyberespionage attacks.

Tracked as CVE-2018-8174, the flaw is located in the Windows VBScript engine and can be exploited through Internet Explorer or other applications that use the engine. It was discovered in April by researchers from Qihoo 360 in a targeted attack that used a malicious Word document with an embedded web page.

At the time of the attack, which some researchers believe was launched by a North Korean state-sponsored group, the flaw had zero-day status, meaning that there was no official patch for it. Microsoft fixed the flaw the following Patch Tuesday, May 8.

After Microsoft released its patch, security researchers from various companies published more detailed analyses for the flaw which was followed by a proof-of-concept exploit being posted on GitHub and a module based on it being developed for the popular Metasploit penetration testing framework. It seems that RIG’s creators took advantage of this public research and integrated the exploit into their toolkit.

“As with its previous campaigns, Rig’s Seamless campaign uses malvertising,” researchers from antivirus firm Trend Micro said in a blog post. “In this case, the malvertisements have a hidden iframe that redirects victims to Rig’s landing page, which includes an exploit for CVE-2018-8174 and shellcode. This enables remote code execution of the shellcode obfuscated in the landing page.”

If the exploit is successful, the shellcode downloads and installs a second-stage component called SmokeLoader that acts as a malware downloader. The final payload is a malicious program that uses the computer’s CPU resources to mine Monero cryptocurrency.

Until recently, the RIG exploit kit was used to infect computers with the GandCrab ransomware and Panda Banker, a variant of the ZeuS banking trojan. The switch to cryptocurrency mining is not entirely surprising, given that this type of threat is very popular with attackers and can result in significant profits.

“Malicious cryptocurrency miners may be less destructive, but their impact is long-term,” the Trend Micro researchers said. “They can remain undetected until telltale signs of infection become more evident, giving cybercriminals time to generate more illicit income.”

This incident should also serve as a warning to companies that delay applying OS and software patches for long periods of time. Nowadays, attackers integrate new exploits into their tools much faster than they did a few years ago, especially if proof-of-concept exploits become publicly available. This means that the time window between when patches become available and when weaponized exploits appear in the wild is constantly shrinking, so companies should adapt their patching policies accordingly.

Two-Thirds of Open Redis Servers Are Infected

Researchers from security firm Imperva have scanned 10,000 Redis servers that are wide open to access from the internet and found that more than two-thirds of them had been compromised by attackers.

The decision to test open Redis servers on the internet came after Imperva collected information from attacks observed against its own Redis honeypots. In most cases, newly spawned honeypot servers started being targeted in less 24 hours.

“The attack anatomy is quite simple – the attacker sets a key/value pair in the memory and then saves it to a file in the disk in a location that will force the file to run (e.g /etc/crontabs, /var/spool/cron/crontab etc.),” the Imperva researchers said in a blog post.

Attackers use the Redis servers to mine cryptocurrency but also to attack others. Last month, Imperva observed 75,000 attacks against its own customers that originated from IP addresses that had an open Redis installation.

Redis is an in-memory data store that can be used as a database, cache or message broker. It was built for use on internal networks and doesn’t have built-in access controls or encryption. Users are strongly discouraged from exposing Redis servers directly to the internet, but many have ignored this advice and thousands of such deployments are now available online open for anyone to access and abuse.

Featured eBook
The Main Pillars of The DevOps Toolchain

The Main Pillars of The DevOps Toolchain

Software companies often have a problem closing the gap between what the customer orders and what the engineers deliver. Usually, the main cause of this difficulty is the separation of the development environment and the production environment. After all, when an engineer only has access to the development environment, they will focus on delivering results there ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 199 posts and counting.See all posts by lucian-constantin