When it comes to advanced persistent threats (APTs), bad actors are adding a new weapon to their arsenal: malvertising. One attack, dubbed Operation DeathClick, is a particularly virulent ongoing campaign against US defense companies.
Targeted attacks against organizations most often originate as spear-phishing campaigns or watering-hole attacks that use social engineering and the target’s own interests against him or her. But within the last six months, security firm Invincea has discovered a spate of attacks using malvertising against specific companies—particularly those in the defense sector.
According to an Invincea whitepaper, Operation DeathClick targeted several US defense contractors, all of which had deployed “world-class enterprise security defense-in-depth approaches” to protect their intellectual property, Invincea said, including next-generation firewalls that relied on threat intelligence feeds to do auto-blocking of known malicious sites, malware interception technology that relied on known bad hashes to prevent malicious downloads, multiple proxies in place subscribed to real-time feeds of known bad URLs, and antivirus at the gateways and on the endpoints.
But in a two-week period, these organizations were hit with dozens of micro-targeted malvertising attacks, each of which would have provided a beachhead for the threat actors from which to compromise the network, if successful.
“Once targeted, an end user only needed to browse to any website, anywhere in the world, which contained a DoubleClick ad-partner embedded window,” said Invincea.
Malvertising has seen meteoric rise in 2014. Threat actors create a corporate front, advertise on commonly visited sites, then later switch out the landing pages for their ads to pages that host exploit kits, or simply create a temporary redirection from their usual content to the malicious landing page. Traditional malvertising has thus been an effective but indiscriminate method that cyber-crime gangs use to compromise endpoints to perpetrate ad fraud, identity fraud and banking credential theft. Invincea noted that the new micro-targeted version of malvertising indicates motive and sophistication characteristic of advanced threat actors.
Now, “the combination of traditional cyber-crime methods (malvertising) with targeted attacks against defense industrials for theft of [intellectual property] represents another development in the ongoing blending of techniques from cyber-crime and advanced threat actors with nation state agendas,” the company said, in a whitepaper on the subject. “In this new targeted variation of malvertising, the perpetrators are attacking specific organizations by leveraging real-time ad bidding networks and micro-targeting techniques developed over the last decade in online advertising.”
Real-time ad bidding offers the ability to buy and sell digital advertising placements in a programmatic fashion—that is, with the ability to micro-target ad delivery on an extremely granular basis. For example, ads can be delivered to certain audiences based on: versions of Flash, OS, Java and browser; interest-related content (click bait articles, industry specific software or hardware, like medical supplies, radar mapping software, ammunition sales, stocks forums); advertising profiles derived from cookies (someone with specific tastes, may shop for shoes, handbags, cars, luxury vacations); geographic region; and the public IP space of a network or an industrial vertical.
This is a very useful tool for brands: A local car dealership can for instance sense when someone is in the market for a new car and can deliver advertising to those users, based solely on browsing history. But micro-targeting is an even more useful tool for nefarious adversaries who have weaponized ad delivery networks.
“Advanced threat actors are able to target an organization directly via micro-targeted malvertising, based solely on their corporate network IP range,” Invincea said. “Thus, it doesn’t matter where in the world you point your web browser—an online video poker room, a fantasy football club homepage, a Pakistani news homepage, or even checking your own webmail at a trusted email provider. Those ad windows can and are being used to deliver malware if the bidding price is right.”
For instance, Operation DeathClick has a micro-targeting system uses IP address ranges, geographically narrowed down to Zip codes, and interests of the user (recorded in cookies) to target specific companies, company types and user interests/preferences.
Invincea said that is very likely that the approach will soon spread beyond defense espionage.
“While we discovered these attacks across multiple defense companies, we expect it will not be long, if not already, before other highly targeted segments including federal, financial services, manufacturing and healthcare are victimized with the same micro-targeted malvertising,” the firm said. “The campaign described here does not represent a single flaw, zero-day, or unpatched bug, but rather a significant development in the adversary’s capabilities and strategy to leverage legitimate online advertising platforms on well-known ad supported websites via a technique called real-time ad bidding. In other words, this problem will not be patched on Tuesday.”