Attackers that spread malicious ads through drive-by download schemes are shifting their focus to Microsoft Silverlight vulnerabilities.
Researchers from Cisco Systems have reported that hackers have been exploiting Silverlight vulnerabilities to launch Web attacks against several ad networks in order to redirect unsuspecting users to malicious websites that host the Angler Exploit Kit. The Silverlight vulnerabilities have been loaded into this kit with the XOR encryption in an effort to conceal the malicious activity from various detection methods such as the one used by Cisco.
The malvertising activity, as it is called by researchers, has been going on since April when a huge volume of traffic was flowing from compromised sites to the Angler that uses Silverlight security flaws.
Silverlight is a Microsoft plug-in that works for users to stream media on browsers. The exploit kit used by hackers works to identify the browser used by its potential victims, as well as the plugins installed on the browser, whether Java, Adobe Reader or Silverlight. The exploit is triggered when it finds vulnerabilities in a plug-in due to the fact that it is outdated.
The Java exploits have been the constant target of attackers in the past couple of years and hackers are using these exploits to launch attacks against large companies with old browser plugins. It is only recently when they have changed tactics and began to add Microsoft Silverlight to their targets.
Cisco researchers said:
“In this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities and though Java is available and an included reference in the original attack landing pages, it’s never triggered.”
One key factor that gave the attackers a chance to manipulate Silverlight vulnerabilities is the widespread rise of Flash and Java exploits, almost drowning out the notion that Microsoft’s plugin could hardly be exploited. Companies became absorbed in the idea that only Flash and Java could be vulnerable to such attacks. They were also confident that security vendors have always been successful in writing threat detection codes.
The Angler attacks are meant to bring users who have visited legitimate sites to phony ads operated by compromised networks. In turn, when the ad is clicked the user is redirected to the hacked website that then leads to the Angler landing page, which operates to secretly install malware into one’s computer.
There has been a rapid spike in DNS requests for these Angler domains, particularly dense in Europe and North America.
Right now, the best way to address this risk and ensure that your computer is not compromised is to install the latest updates of Silverlight from Microsoft.