Computer exploits. What are they and why should you care?
Have you ever noticed how software developers are forever patching and updating their software—sometimes releasing updates mere days after the initial software release?
That’s because every piece of software you own and will ever own in your life will have vulnerabilities cybercriminals can find and take advantage of—in other words, “exploit.” There is no such thing as exploit-free software—there will always be holes. Computer software is about as solid as a block of Swiss cheese.
By way of exploits, cybercriminals can gain access to your computer and steal sensitive information or install malware. Despite a slow-down in exploit activity, cybercriminals are continuing to fall back on this stealthy method of attack. With that in mind, now is the perfect time to educate ourselves on the topic of exploits and protect ourselves accordingly. So scroll down, read on, and learn everything you need to know about computer exploits.
A computer exploit is a type of malware that takes advantage of bugs or vulnerabilities, which cybercriminals use to gain illicit access to a system. These vulnerabilities are hidden in the code of the operating system and its applications just waiting to be discovered and put to use by cybercriminals. Commonly exploited software includes the operating system itself, browsers, Microsoft Office, and third-party applications. Sometimes exploits are packaged up by cybercriminal groups into what’s called an exploit kit. Exploit kits make it easier for criminals with limited technical knowledge to use exploits and spread malware.
To gain a better understanding of what exploits are, it may help to think of the expensive bicycle and laptop cylinder locks popular in the early 2000s. People paid upwards of $50 for these locks, thinking the locks kept their valuables secure, until someone posted a video online demonstrating how these locks could be picked in a matter of seconds using a cheap and readily available Bic pen. This forced the lock makers to update their locks and consumers had to upgrade to the new pick-proof locks. This is a tangible exploit of a physical security system. As it applies to software, cybercriminals are looking for clever tricks, just like the Bic pen guy, that will allow them access to other people’s computers, mobile devices and networks.
Exploit attacks often start with malspam and drive-by downloads. Cybercriminals trick unsuspecting victims into opening an infected email attachment or clicking links that redirect to a malicious website. Infected attachments, often a Word document or PDF, will contain exploit code designed to take advantage of application weaknesses.
Drive-by downloads take advantage of vulnerabilities in your browser, like Internet Explorer or Firefox for example, or the plug-ins running within your browser such as Flash. You may visit a website you’ve visited safely in the past, but this time the website has been hacked and you won’t even know it. Alternatively, you may click a malicious link in a spam email that takes you to a spoofed version of a familiar website. And in particularly tricky instances, you may visit a legitimate website displaying an advertisement or pop-up infected with malware—also known as malvertising. Upon visiting the site, malicious code on the webpage will work invisibly in the background to load malware onto your computer.
Cybercriminals use exploits as a means to some malicious end, ranging from annoying problem to crippling nuisance. Cybercriminals may try to put your computer’s resources to work in a zombie botnet for the purposes of a DDoS attack or to mine Bitcoin (cryptojacking). Alternatively, cybercriminals may try to install adware and flood your desktop with ads. Cybercriminals may want to get on your system and steal data outright or install malware to secretly collect data from you over time (spyware). Finally, cybercriminals may install malware that encrypts all your files and demand payment in exchange for the encryption key (ransomware).
Zero-day! The one day a year we pause to recognize the humble little zero. If only that were true. Actually, a zero-day exploit, also known as a zero-hour exploit, is a software vulnerability no one but the cybercriminal who created it knows about and for which there is no available fix. Once an exploit becomes public knowledge, it is no longer a zero-day. Sometimes a known exploit is referred to as an n-day exploit, indicating one or more days have passed since the exploit was publicized.
Once a zero-day exploit becomes public information, software makers are in a race against criminals to patch the exploit before the criminals can take advantage and reap the benefits. Fortunately, researchers have scruples. If researchers find an exploit before criminals do, the researchers will usually report the flaw to the manufacturer and give them a chance to fix it before letting the public (and the criminals) at large know.
Proactively looking for exploits has become a sport for some hackers. At the annual Pwn2own competition, exploit experts earn cash and prizes for successfully hacking into popular software across multiple categories, including web browsers and enterprise applications. As a demonstration of their interest in software security, Microsoft and VMware sponsored the Pwn2own event in 2018.
Regarding software makers being proactive about finding and fixing exploits, David Sanchez, Malwarebytes Principal Research Engineer said, “It is true that Microsoft and other software makers are working very hard to secure their applications such as Office and exploiting them has become hard—almost impossible. Security guys and cybercriminals still find a way to exploit them successfully. 100 percent security is just an illusion, but Malwarebytes apps protect people as close as possible to that 100 percent.”
“100 percent security is just an illusion. Malwarebytes apps protect people as close as possible to that 100 percent.”
- David Sanchez
Malwarebytes Principal Research Engineer
Exploits are as old as computing. As we’ve pointed out, all software has vulnerabilities and there have been some real doozies over the years. Here’s a quick rundown of some of the more notable computer exploits.
Our exploration of the world’s greatest (i.e. worst) exploits starts in 1988 with the Morris worm, one of the first computer worms and exploits. Named after its creator Robert Tappan Morris, the eponymous worm was designed to figure out how big the internet was in those early formative years by using various vulnerabilities to access accounts and determine the number of computers connected to a network. The worm got out of hand, infecting computers multiple times, running several copies of the worm simultaneously until there were no resources left for legitimate users. The Morris worm had effectively become a DDOS attack.
The SQL Slammer worm took the world by storm in 2003, enlisting somewhere around 250,000 servers running Microsoft’s SQL Server software into its botnet. Once a server was infected, it would use a scattershot style of attack, generating random IP addresses, and sending out infected code to those addresses. If the targeted server had SQL Server installed, it too would be infected and added to the botnet. As a result of SQL Slammer, 13,000 Bank of America ATMs were knocked offline.
The Conficker worm of 2008 is notable for a couple of reasons. First, it wrangled a lot of computers into its botnet—reportedly 11 million devices at its height. Second, Conficker popularized a type of subterfuge viruses use to avoid detection called a Domain Generating Algorithm (DGA). In short, the DGA technique allows a bit of malware to endlessly communicate with its command and control server (C&C) by generating new domains and IP addresses.
Designed to attack Iran’s nuclear program, the 2010 Stuxnet worm took advantage of multiple zero-day vulnerabilities in Windows to gain access to a system. From there, the worm was able to self-replicate and spread from one system to another.
Discovered in 2014, the Heartbleed exploit was used to attack the encryption system that lets computers and servers talk back and forth privately. In other words, cybercriminals could use the exploit to eavesdrop on your digital conversation. The encryption system, called OPEN SSL, was used on 17.5% or half a million “secure” web servers. That’s a lot of vulnerable data. Because this is an issue for the websites you visit (server-side), as opposed to an issue on your computer (client-side), it’s up to network administrators to patch this exploit. Most reputable websites patched for this exploit years ago, but not all, so it’s still an issue to be aware of.
2017 was a banner year for ransomware. The WannaCry and NotPetya ransomware attacks took advantage of the EternalBlue/DoublePulsar Windows exploits in order to sneak onto computers and hold data hostage. Combined, these two attacks caused $18 billion in damages around the world. The NotPetya attack in particular temporarily crippled—amongst many others—a Cadbury chocolate factory and the maker of Durex condoms. Hedonists around the world held their collective breath until the exploit was patched.
The 2017 Equifax attack could have been avoided if the credit bureau made a better effort to keep their software up-to-date. In this case, the software flaw cybercriminals used to break into Equifax’s data network was already well-known and a patch was available. Instead of patching things up, Equifax and their outdated software allowed cybercriminals to steal personal information for hundreds of millions of US customers. “Thanks.”
Now, before you Apple users out there start thinking Macs are not susceptible to exploit-based attacks, consider the cringe-inducing 2017 root bug that allowed cybercriminals to simply enter the word “root” into the username field and hit return twice to get full access to the computer. That bug was quickly fixed before cybercriminals could take advantage, but this just goes to show that any software can have exploitable bugs. To wit, we reported that Mac exploits are on the rise. By the end of 2017, there was 270 percent more unique threats on the Mac platform than in 2016.
As of late, there’s been little news in the world of browser exploits. On the other hand, Office exploit kits are trending upwards. Since 2017 we’ve noticed a rise in the use of Office-based exploit kits. It was back in the fall of that year we first reported on multiple innovative Word exploits, including one hidden in bogus IRS notices and another zero-day attack hidden in Word documents—requiring little to no interaction from the victim to initiate. We’re now seeing a new type of Office exploit kit that doesn’t rely on macros; i.e. special code embedded in the document, to do its dirty work. This exploit kit, instead uses the document as a decoy while triggering an automatic download that deploys the exploit.
More recently, cybercriminals are deploying fileless malware, so named because this type of malware doesn’t rely on code installed on the target computer to work. Instead, fileless malware exploits the applications already installed on the computer, effectively weaponizing the computer against itself and other computers.
“Fileless malware exploits the applications already installed on the computer, effectively weaponizing the computer against itself and other computers.”
The biggest concern for mobile users is installing apps that have not been approved by Google and Apple. Downloading apps outside the Google Play Store and Apple App Store means the apps haven’t been vetted by the respective companies. These untrusted apps might try and exploit vulnerabilities in iOS/Android to gain access to your mobile device, steal sensitive information, and perform other malicious actions.
Exploits can be scary. Does that mean we should throw our routers out the window and pretend it’s the pre-internet computer Dark Ages? Certainly not. Here are a few tips if you want to get proactive about exploit protection.
In many ways, your business presents a higher value target for cybercriminals and exploits than the individual consumer—more data to steal, more to hold for ransom, and more endpoints to attack.
Take, for example, the Equifax data breach. In this case, cybercriminals used an exploit in Apache Struts 2 to gain access to the Equifax network and escalate their user privileges. Once the attackers were on the network, they made themselves the system administrators, gaining access to sensitive data for millions of consumers. No one knows the full fallout from the Equifax attack, but it could end up costing the credit bureau millions of dollars. There’s a class action lawsuit in the works and individuals are taking Equifax to small claims court too, winning upwards of $8,000 per case.
In addition to privilege escalation, exploits can be used to deploy other malware—as was the case with the NotPetya ransomware attack. NotPetya spread across the Internet attacking individuals and businesses alike. Using the EternalBlue and MimiKatz Windows exploits, NotPetya got a foothold on a network and spread from computer to computer, locking down each endpoint, encrypting user data, and bringing business to a standstill. Computers, smartphones, VOIP desk phones, printers, and servers were all rendered useless. Total damages to businesses around the world have been estimated at 10 billion dollars.
So how can you protect your business? You need to get rid of the weaknesses in your system with a good patch management strategy. Here’s some things to keep in mind as you figure out what’s best for your network.
Finally, if all this hasn’t sated your hunger for knowledge about exploits, you can always read more about exploits on the Malwarebytes Labs blog.
Select your language