by Alastair Stevenson
An evolved form of the Fiesta exploit kit has been uncovered hitting Cisco customers using Java and Microsoft Silverlight exploits.
Cisco chief security officer Levi Gundert reported that the company uncovered the hack campaign while working with newly acquired security firm Sourcefire. In a blog post he warned that the campaign has already hit at least 300 companies over the past 30 days.
“Now that we are collaborating with Sourcefire’s Vulnerability Research Team (VRT) we have additional capabilities to quickly isolate and prioritise specific web exploit activity for further analysis,” read the post.
“Thus when we were recently alerted to an aggressive Fiesta exploit pack (EP) campaign targeting our customers, we quickly compared notes and found that in addition to the typical Java exploits, this EP was also using a Microsoft Silverlight exploit. Over the past 30 days this specific Fiesta campaign was blocked across more than 300 different companies.”
Exploit kits, referred to in the blog as exploit packs, are publicly traded hack tools that let non-computer experts easily mount automated hack campaigns. They are traded on a number of cyber black markets.
The Cisco chief said the new Fiesta exploit kits are being used to mount a series of drive-by download attacks against businesses. Cisco reported that the attacks aim to maximise the amount of web traffic going to websites and malicious servers owned by the hackers.
“EP users’ primary goal is to force as much victim web traffic to their respective EP servers as possible, in order to execute a ‘drive-by’ attack (really it’s a reverse drive-by since the victim is moving and the attacker is stationary),” read the post.
“Thus any number of malicious mechanisms may be used to drive unsuspecting web users to the EP server including ‘malvertising’ (injecting a rogue advertisement into an advertising delivery network), email/social media spam, and/or compromising a legitimate website and automatically redirecting visitors.”
Cisco reported finding at least 400 distributed domain name services (DDNS) based domains receiving traffic from the compromised machines. The attack’s success is troubling as the Microsoft Silverlight vulnerability was patched by Microsoft in 2013, meaning businesses with up-to-date systems should be safe.
Exploit kits have been a growing problem for the security community. In 2013 the Blackhole exploit kit was the most common hack tool being used by criminals, but use of it plummeted after the FBI arrested its alleged creator in November 2013.