RIG Attack Kit May Push Ransomware To Facebook Users


A new attack toolkit called RIG is gaining popularity and is impacting users of Facebook, eBay and other popular websites, according to Cisco Systems.

The RIG Exploit Kit spreads dangerous malware by infiltrating advertising networks, embedding malicious links in ads that redirect users to ransomware that can lock up and delete victim's files or other threats.

Malicious traffic associated with the RIG Exploit Kit activity has increased significantly since it first appeared in April, according to Cisco. RIG's growing popularity is significant because it exploits ads that appear on legitimate websites that get high traffic, said Andrew Tsonchev, a U.K.-based Cisco threat researcher.

[Related: Gameover Zeus Investigators Detail Malware Attack At Plastics Manufacturer]

"We have seen a lot of exploit kits generating their traffic using malvertising recently, and this will surely continue to be a powerful and readily exploitable way of infecting users," Tsonchev wrote in his analysis of the threat, warning users to ensure that the latest browser and component patches are installed. "Regularly updated and patched machines which do not have rich media platforms such as Flash and Silverlight enabled remain relatively immune from these kinds of attacks."

Technology alone isn't going to be effective in keeping up with rapidly changing threats, say security experts. The channel can offer sustained end user security awareness training to build a security culture within customer organizations, and strong patch and configuration management processes can help greatly reduce risks, said William Loupakos, senior vice president at Arlington Heights, Ill.-based solution provider American Digital.

"I still think that there is more that needs to be done on the people side," Loupakos said. "The whole perception of risk has to be embedded or institutionalized on a company's culture in order for security to be effective."

An analysis Cisco conducted of the traffic patterns uncovered Facebook, eBay and Altavista among dozens of other websites that could be hosting the malicious ads. Tsonchev said the exploit kit targets a Microsoft Silverlight vulnerability patched by the software maker last year. It also targets two early Java vulnerabilities and a Flash Player flaw.

Cisco blocked more than 90 domains associated with RIG-related malware. Some of the domains appear to be running WordPress and were exploited by the attackers to host the exploit kit, a common attack technique that preys on outdated and poorly maintained WordPress implementations or weak and default administrator passwords associated with them.  

Facebook, Twitter and other social networks are vigilant about monitoring for threats to their users, but scams such as Facebook Black persist due to third-party advertising platforms and apps that tie into the networks that are often more difficult to monitor. 

The global law enforcement crackdown on the Gameover Zeus botnet has increased attention on some of the most prevalent attacks often carried out by criminals using automated toolkits. Despite crippling the powerful botnet, financially motivated attacks, driven by a variety of organized criminals in Eastern Europe and Russia, constantly evolve, say experts. The goal is to keep attacks low-lying to avert attention from security researchers and sustain lucrative campaigns as long as possible.

"It has been and will always be a cat and mouse game," said Cameron Camp, a U.S.-based security researcher at the U.S. arm of Bratislava, Slovakia-based antivirus vendor ESET. "The bad guys constantly adapt and carry on their malicious activity."

Cisco's Tsonchev said RIG is also responsible for spreading Cryptowall ransomware, a threat, similar to Cryptolocker, which encrypts local files and attempts to extort a ransom from victims for the key to regain access.

PUBLISHED JUNE 6, 2014