Security researchers from iSight and Invincea uncovered a highly sophisticated data exfiltration APT. However, the target of the digital attack was not company that was compromised; it was that site's users. Forbes.com, one of the most highly trafficked websites in the world, was compromised and used to spread malware to site visitors.
Similarly to other website digital attacks reported in recent months, the exploitation of third-party services was the lynchpin in the digital attack. Invincea explains that is typically how these types of website compromises occur:
Many websites have vulnerable plugins, themes, and custom apps for publishing platforms- whether it is based on Cold Fusion or WordPress or common bulletin board systems. Botnets routinely probe web servers to search for known vulnerable plugins and can often exploit those vulnerabilities automatically, leaving malicious Java scripts, PHP files or Flash exploits behind.
When it comes to these exploits, there is little that can be done to prevent infection until a patch is released. Until then, they're zero-day vulnerabilities, meaning we have zero days to respond. Zero-day exploits can exist in the wild for an indefinite amount of time before they're discovered.
In this particular digital attack, the group responsible used a chained zero-day attack to penetrate exploit updated computers. It exploited both an IE (CVE-2015-0071) and an Adobe (CVE-2014-9163) vulnerability in order to embed a malicious DLL on victim computers.
Invincea saw no evidence that it the attack extended beyond specific targets. However, it offers this disclaimer:
While we can confirm targeting against US Defense and Financial Services firms at this time, there is potential for broader targeting from this group (and potentially other threat actors).
Although Invincea includes in the blog that the specific vulnerabilities used in this campaign were patched, the broader concern is that Alexa.com ranks Forbes.com as the 61st most popular site in the US. Millions of people read its articles and view its content on a daily basis.
How many of those people have advanced threat protection endpoint products protecting them? What's being done to protect regular web users? Invincea covers this in its blog:
Web users are often at the mercy of the patch cycle and attentiveness of website administrators to keep these vulnerable plugins up to date and search for dropped files left behind by exploits.
Users don't have the means to invest in best-of-bread, advanced endpoint security devices. However, they're exposed to threats that, in order to prevent, require tools with that level of sophistication (or higher). Almost all security solutions are designed to keep digital attacks out.
This digital attack was detected because the targets had advanced endpoint detection and sophisticated threat intelligence from iSight. However, this digital attack also demonstrated the ability to target specific types of web visitors. Assuming regular people were the targets, and the goal was to spread banking malware or create bots, this digital attack could have had a much larger impact.
This isn't the first time a major website has been penetrated, and there is nothing unique about Forbes that would make it particularly vulnerable. Factor in the scale of modern websites and all the potential penetration points -- vulnerable browser plugins, themes, custom apps, malvertisements, etc. -- and it becomes clear that end users are exposed to significantly higher levels of risk than most companies account for.
This problem hasn't gotten as much attention as standard breaches have. It may not have even reached your radar as a clear and present danger to your organization. But there is a strong chance your organization will deal with this at some point, if it hasn't already. Each new vulnerable plugin or compromised code library running on your site increases your chances of being breached, and if the group exploiting it knows what they're doing, it will be invisible to you.