What you need to know about computer exploits
Computer exploits. What are they and why should you care?
Have you ever noticed how software developers are forever patching and updating their software—sometimes releasing updates mere days after the initial software release?
That’s because every piece of software you own and will ever own in your life will have vulnerabilities cybercriminals can find and take advantage of—in other words, “exploit.” There is no such thing as exploit-free software—there will always be holes. Computer software is about as solid as a block of Swiss cheese.
By way of exploits, cybercriminals can gain access to your computer and steal sensitive information or install malware. Despite a slow-down in exploit activity, cybercriminals are continuing to fall back on this stealthy method of attack. With that in mind, now is the perfect time to educate ourselves on the topic of exploits and protect ourselves accordingly. So scroll down, read on, and learn everything you need to know about computer exploits.
What is an exploit?
A computer exploit is a type of malware that takes advantage of bugs or vulnerabilities, which cybercriminals use to gain illicit access to a system. These vulnerabilities are hidden in the code of the operating system and its applications just waiting to be discovered and put to use by cybercriminals. Commonly exploited software includes the operating system itself, browsers, Microsoft Office, and third-party applications. Sometimes exploits are packaged up by cybercriminal groups into what’s called an exploit kit. Exploit kits make it easier for criminals with limited technical knowledge to use exploits and spread malware.
To gain a better understanding of what exploits are, it may help to think of the expensive bicycle and laptop cylinder locks popular in the early 2000s. People paid upwards of $50 for these locks, thinking the locks kept their valuables secure, until someone posted a video online demonstrating how these locks could be picked in a matter of seconds using a cheap and readily available Bic pen. This forced the lock makers to update their locks and consumers had to upgrade to the new pick-proof locks. This is a tangible exploit of a physical security system. As it applies to software, cybercriminals are looking for clever tricks, just like the Bic pen guy, that will allow them access to other people’s computers, mobile devices and networks.
Exploit attacks often start with malspam and drive-by downloads. Cybercriminals trick unsuspecting victims into opening an infected email attachment or clicking links that redirect to a malicious website. Infected attachments, often a Word document or PDF, will contain exploit code designed to take advantage of application weaknesses.
Drive-by downloads take advantage of vulnerabilities in your browser, like Internet Explorer or Firefox for example, or the plug-ins running within your browser such as Flash. You may visit a website you’ve visited safely in the past, but this time the website has been hacked and you won’t even know it. Alternatively, you may click a malicious link in a spam email that takes you to a spoofed version of a familiar website. And in particularly tricky instances, you may visit a legitimate website displaying an advertisement or pop-up infected with malware—also known as malvertising. Upon visiting the site, malicious code on the webpage will work invisibly in the background to load malware onto your computer.
Cybercriminals use exploits as a means to some malicious end, ranging from annoying problem to crippling nuisance. Cybercriminals may try to put your computer’s resources to work in a zombie botnet for the purposes of a DDoS attack or to mine Bitcoin (cryptojacking). Alternatively, cybercriminals may try to install adware and flood your desktop with ads. Cybercriminals may want to get on your system and steal data outright or install malware to secretly collect data from you over time (spyware). Finally, cybercriminals may install malware that encrypts all your files and demand payment in exchange for the encryption key (ransomware).
What is a zero-day exploit?
Zero-day! The one day a year we pause to recognize the humble little zero. If only that were true. Actually, a zero-day exploit, also known as a zero-hour exploit, is a software vulnerability no one but the cybercriminal who created it knows about and for which there is no available fix. Once an exploit becomes public knowledge, it is no longer a zero-day. Sometimes a known exploit is referred to as an n-day exploit, indicating one or more days have passed since the exploit was publicized.
Once a zero-day exploit becomes public information, software makers are in a race against criminals to patch the exploit before the criminals can take advantage and reap the benefits. Fortunately, researchers have scruples. If researchers find an exploit before criminals do, the researchers will usually report the flaw to the manufacturer and give them a chance to fix it before letting the public (and the criminals) at large know.
Proactively looking for exploits has become a sport for some hackers. At the annual Pwn2own competition, exploit experts earn cash and prizes for successfully hacking into popular software across multiple categories, including web browsers and enterprise applications. As a demonstration of their interest in software security, Microsoft and VMware sponsored the Pwn2own event in 2018.
Regarding software makers being proactive about finding and fixing exploits, David Sanchez, Malwarebytes Principal Research Engineer said, “It is true that Microsoft and other software makers are working very hard to secure their applications such as Office and exploiting them has become hard—almost impossible. Security guys and cybercriminals still find a way to exploit them successfully. 100 percent security is just an illusion, but Malwarebytes apps protect people as close as possible to that 100 percent.”
“100 percent security is just an illusion. Malwarebytes apps protect people as close as possible to that 100 percent.”
- David Sanchez
Malwarebytes Principal Research Engineer
What is the history of exploits?
Exploits are as old as computing. As we’ve pointed out, all software has vulnerabilities and there have been some real doozies over the years. Here’s a quick rundown of some of the more notable computer exploits.
Our exploration of the world’s greatest (i.e. worst) exploits starts in 1988 with the Morris worm, one of the first computer worms and exploits. Named after its creator Robert Tappan Morris, the eponymous worm was designed to figure out how big the internet was in those early formative years by using various vulnerabilities to access accounts and determine the number of computers connected to a network. The worm got out of hand, infecting computers multiple times, running several copies of the worm simultaneously until there were no resources left for legitimate users. The Morris worm had effectively become a DDOS attack.
The SQL Slammer worm took the world by storm in 2003, enlisting somewhere around 250,000 servers running Microsoft’s SQL Server software into its botnet. Once a server was infected, it would use a scattershot style of attack, generating random IP addresses, and sending out infected code to those addresses. If the targeted server had SQL Server installed, it too would be infected and added to the botnet. As a result of SQL Slammer, 13,000 Bank of America ATMs were knocked offline.
The Conficker worm of 2008 is notable for a couple of reasons. First, it wrangled a lot of computers into its botnet—reportedly 11 million devices at its height. Second, Conficker popularized a type of subterfuge viruses use to avoid detection called a Domain Generating Algorithm (DGA). In short, the DGA technique allows a bit of malware to endlessly communicate with its command and control server (C&C) by generating new domains and IP addresses.
Designed to attack Iran’s nuclear program, the 2010 Stuxnet worm took advantage of multiple zero-day vulnerabilities in Windows to gain access to a system. From there, the worm was able to self-replicate and spread from one system to another.
Discovered in 2014, the Heartbleed exploit was used to attack the encryption system that lets computers and servers talk back and forth privately. In other words, cybercriminals could use the exploit to eavesdrop on your digital conversation. The encryption system, called OPEN SSL, was used on 17.5% or half a million “secure” web servers. That’s a lot of vulnerable data. Because this is an issue for the websites you visit (server-side), as opposed to an issue on your computer (client-side), it’s up to network administrators to patch this exploit. Most reputable websites patched for this exploit years ago, but not all, so it’s still an issue to be aware of.
2017 was a banner year for ransomware. The WannaCry and NotPetya ransomware attacks took advantage of the EternalBlue/DoublePulsar Windows exploits in order to sneak onto computers and hold data hostage. Combined, these two attacks caused $18 billion in damages around the world. The NotPetya attack in particular temporarily crippled—amongst many others—a Cadbury chocolate factory and the maker of Durex condoms. Hedonists around the world held their collective breath until the exploit was patched.
The 2017 Equifax attack could have been avoided if the credit bureau made a better effort to keep their software up-to-date. In this case, the software flaw cybercriminals used to break into Equifax’s data network was already well-known and a patch was available. Instead of patching things up, Equifax and their outdated software allowed cybercriminals to steal personal information for hundreds of millions of US customers. “Thanks.”
Now, before you Apple users out there start thinking Macs are not susceptible to exploit-based attacks, consider the cringe-inducing 2017 root bug that allowed cybercriminals to simply enter the word “root” into the username field and hit return twice to get full access to the computer. That bug was quickly fixed before cybercriminals could take advantage, but this just goes to show that any software can have exploitable bugs. To wit, we reported that Mac exploits are on the rise. By the end of 2017, there was 270 percent more unique threats on the Mac platform than in 2016.
As of late, there’s been little news in the world of browser exploits. On the other hand, Office exploit kits are trending upwards. Since 2017 we’ve noticed a rise in the use of Office-based exploit kits. It was back in the fall of that year we first reported on multiple innovative Word exploits, including one hidden in bogus IRS notices and another zero-day attack hidden in Word documents—requiring little to no interaction from the victim to initiate. We’re now seeing a new type of Office exploit kit that doesn’t rely on macros; i.e. special code embedded in the document, to do its dirty work. This exploit kit, instead uses the document as a decoy while triggering an automatic download that deploys the exploit.
More recently, cybercriminals are deploying fileless malware, so named because this type of malware doesn’t rely on code installed on the target computer to work. Instead, fileless malware exploits the applications already installed on the computer, effectively weaponizing the computer against itself and other computers.
“Fileless malware exploits the applications already installed on the computer, effectively weaponizing the computer against itself and other computers.”
Exploits on mobile: Android and iOS
The biggest concern for mobile users is installing apps that have not been approved by Google and Apple. Downloading apps outside the Google Play Store and Apple App Store means the apps haven’t been vetted by the respective companies. These untrusted apps might try and exploit vulnerabilities in iOS/Android to gain access to your mobile device, steal sensitive information, and perform other malicious actions.
How can I protect myself from exploits?
Exploits can be scary. Does that mean we should throw our routers out the window and pretend it’s the pre-internet computer Dark Ages? Certainly not. Here are a few tips if you want to get proactive about exploit protection.
- Stay up-to-date. Do you regularly update your operating system and all the various applications you have installed? If you answered no, you might be a potential victim for cybercriminals. After a zero-day exploit becomes known to the software vendor and a patch is released, the onus is upon the individual user to patch and update their software. In fact, zero-day exploits become more dangerous and widespread after they become public knowledge, because a broader group of threat actors are taking advantage of the exploit. Check back with your software providers and see if there are any updates or patches available. If possible, go into your software settings and turn auto-updates on so these updates happen automatically in the background without any extra effort on your part. This will eliminate the amount of lag time between when a vulnerability is announced and when it’s patched. Cybercriminals prey on people who forget or just don’t know to update and patch their software.
- Upgrade your software. In some cases, a software application becomes so old and unwieldy the software maker stops supporting it (abandonware), which means any additional bugs that are discovered will not be fixed. Following closely on the previous bit of advice, make sure your software is still supported by the maker. If it isn’t, upgrade to the latest version or switch to something else that does the same thing.
- Stay safe online. Make sure Microsoft SmartScreen or Google Safe Browsing are enabled for your web browser of choice. Your browser will check every site you visit against the blacklists maintained by Microsoft and Google and steer you away from sites known to dish up malware. Effective anti-malware tools like Malwarebytes, for example, will also block bad sites, offering you multiple layers of protection.
- Use it or lose it. Hackers gonna hack. There’s not much we can do about that. But if there’s no software, there’s no vulnerability. If you aren’t using the software anymore—delete it from your computer. Hackers can’t break into something that isn’t there.
- Install authorized apps. When it comes to staying safe on your mobile device, stick to authorized apps only. There are times you might want to go outside of the App Store and Google Play Store, like when you’re beta-testing a new app, but you should be doubly sure you can trust the app maker. Generally speaking though, stick with approved apps that have been vetted by Apple and Google.
- Use anti-exploit software. So you’ve taken all the necessary precautions to avoid exploit-based attacks. What about zero-day exploits? Remember, a zero-day exploit is a software vulnerability only the cybercriminals know about. There’s not much we can do to protect ourselves from the threats we don’t know. Or is there? A good anti-malware program, like Malwarebytes for Windows, Malwarebytes for Mac, Malwarebytes for Android, or Malwarebytes for iOS, can proactively recognize and block malicious software from taking advantage of vulnerabilities on your computer using heuristic analysis of the attack. In other words, if the suspect software program is structured and behaves like malware, Malwarebytes will flag and quarantine it.
How do exploits affect my business?
In many ways, your business presents a higher value target for cybercriminals and exploits than the individual consumer—more data to steal, more to hold for ransom, and more endpoints to attack.
Take, for example, the Equifax data breach. In this case, cybercriminals used an exploit in Apache Struts 2 to gain access to the Equifax network and escalate their user privileges. Once the attackers were on the network, they made themselves the system administrators, gaining access to sensitive data for millions of consumers. No one knows the full fallout from the Equifax attack, but it could end up costing the credit bureau millions of dollars. There’s a class action lawsuit in the works and individuals are taking Equifax to small claims court too, winning upwards of $8,000 per case.
In addition to privilege escalation, exploits can be used to deploy other malware—as was the case with the NotPetya ransomware attack. NotPetya spread across the Internet attacking individuals and businesses alike. Using the EternalBlue and MimiKatz Windows exploits, NotPetya got a foothold on a network and spread from computer to computer, locking down each endpoint, encrypting user data, and bringing business to a standstill. Computers, smartphones, VOIP desk phones, printers, and servers were all rendered useless. Total damages to businesses around the world have been estimated at 10 billion dollars.
So how can you protect your business? You need to get rid of the weaknesses in your system with a good patch management strategy. Here’s some things to keep in mind as you figure out what’s best for your network.
- Implement network segmentation. Spreading your data onto smaller subnetworks reduces your attack surface—smaller targets are harder to hit. This can help contain a breach to only a few endpoints instead of your entire infrastructure.
- Enforce the principle of least privilege (PoLP). In short, give users the access level they need to do their jobs and nothing more. Again, this helps to contain damages from breaches or ransomware attacks.
- Stay up-to-date with updates. Keep an eye on Patch Tuesday and plan around it accordingly. The Microsoft Security Response Center maintains a blog with all the latest update info. You can also subscribe to their email newsletter to stay in the know about what’s being patched every month.
- Prioritize your updates. The day after Patch Tuesday is sometimes called (tongue firmly in cheek) Exploit Wednesday. Cybercriminals have been made aware of potential exploits and the race is on to update systems before the cybercriminals have a chance to attack. To expedite the patch process, you should consider launching updates at each endpoint from one central agent, as opposed to leaving it up to each end user to complete on their own time.
- Audit your updates after the fact. Patches are supposed to fix software, but sometimes patches end up breaking things. It’s worth following up and ensuring the patches you pushed out to your network didn’t make things worse and uninstall as necessary.
- Get rid of abandonware. Sometimes it’s hard to get rid of old software that’s past its expiration date—especially at a large business where the purchasing cycle moves with the urgency of a sloth, but discontinued software is truly the worst-case scenario for any network or system administrator. Cybercriminals actively seek out systems running outdated and obsolete software, so replace it as soon as possible.
- Of course, good endpoint security software is an essential part of any exploit protection program. Consider Malwarebytes. With Malwarebytes Endpoint Protection and Malwarebytes Endpoint Detection and Response, we have a solution for all your business security needs.
Finally, if all this hasn’t sated your hunger for knowledge about exploits, you can always read more about exploits on the Malwarebytes Labs blog.
News on exploits
- Patch now! Exchange servers attacked by Hafnium zero-days
- Zoom zero-day discovery makes calls safer, hackers $200,000 richer
- Android patches for 4 in-the-wild bugs are out, but when will you get them?
- Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild
- Update now! Chrome patches zero-day that was exploited in the wild
- Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits
- Update your iOS now! Apple patches three zero-day vulnerabilities
- A zero-day guide for 2020: Recent attacks and advanced preventive techniques