Let’s kick off Monday with some ironic #infosec humor, shall we?
Last Monday (March 21st), Yonathan Klinjsma of Fox-IT’s SOC reported here that the EC-Council iClass website for the Certified Ethical Hacker (CEH) certification was serving up the Angler EK (Exploit Kit). He noted they detected it at 3:00 p.m. Monday, but that it might have been around for longer.
In fact, it has been around for longer—weeks longer! Darren Spruell, Sr., Threat Intel Analyst on RiskIQ’s R&D team, discovered that RiskIQ’s global crawling network detected Angler EK on Wednesday, March 9th at 10:33 a.m. PST served up via this URL: www.eccouncil.org/certification/computer-hacking-f...
Note: You can review RiskIQ’s public blacklist incident and the full crawl data, including the source URL, for the redirector to Angler EK here.
Our crawler is running a full browser, and we save full DOM captures of events like this, to which RiskIQ customers have full access. If you’re a RiskIQ customer, the full crawl index and capture details can be found here.
According to Darren, the exploit kit is served via an injection & redirector that his team frequently tracks called “EITest”, which serves up a Flash-based redirector. As the article notes, it pushes traffic to Angler EK and has been detected dropping TeslaCrypt ransomware. His team has also seen other ransomware and banking trojans dropped by this redirector.
If you are a PassiveTotal (PT) user, you should start your research here. Tab on over to the “Potential Malware” findings and you’ll see roughly 81 associated pieces from VirusTotal (VT) alone, ranging from the flash redirector to various pieces like Windows Exploits.
The next thing you’ll probably want to do in PT is grab a list of all child DNS nodes.
You might notice that the child node hosting the Flash redirector is suspiciously barren of info. This is because none of the public datasets I’ve configured for my PassiveTotal instance have this flagged as a compromised site, and currently, wildcard RiskIQ blacklist data isn’t shown in PT (If you are interested in more on how PT queries our RiskIQ Blacklist and and Zlist APIs let us know. Otherwise, back to the analysis).
If you drop the source of the redirector into PassiveTotal, you’ll see it is flagged as malicious. If you wanted more detailed, proprietary RiskIQ info on the host history—the full crawl/traversal, DOM capture, etc.—you’ll still want to query RiskIQ’s global blacklist, or Zlist, APIs, for threat intel enrichment data.
Why is RiskIQ late to the party reporting this?
Why didn’t RiskIQ report on this when we detected it a few weeks ago?
Our focus is on our customers’ assets and external threats targeting them. While we detected this weeks ago, this isn’t an organization we monitor specifically, so it’s not something we typically pay a lot of attention to.
To give a sense of the scope of the volume of analysis we do at RiskIQ: we crawl roughly two billion unique landing pages per day through our global covert proxy/crawling network. But this is just one of many data sources we combine to identify external threats: we also detect 60-80,000 blacklist incidents daily, which can spike as high as 150,000 incidents on a bad day! And this data doesn't even include malware, phishing, and rogue application incidents, which produce similar numbers.
If you combine: crawling and monitoring the Internet at large with analyzing terabytes of DNS and WhoIS data with monitoring hundreds of mobile application stores and about 16 million mobile binaries, globally, each day, you begin to realize we have a very large security dataset to analyze. As a result of the size of this dataset, we focus our attention on the external threat events that target our customer base, of which EC council is not a member.
Going forward, I’m thinking it might be a fun research project to keep a close eye on other security companies to see how often this sort of thing happens, and how often it goes unnoticed.
Finally, regardless of where you stand on the subject of the value of certifications in #Infosec, we have to give comedic props to whoever placed this gem on the CEH online courseware landing page. We are also a bit surprised that the EC-Council has not responded to the incident yet.
Every security org has incidents. It’s how you respond that shows whether the proverbial cobbler’s kids have any shoes or not.
Happy Monday, folks.