On August 6, Mozilla released a blog post about a Mozilla zero-day being exploited in the wild. The vector was a malicious digital ad (malvertisement) appearing on a Russian news site. Thus far, it is the only instance observed. Mozilla has patched the vulnerability in Firefox version 39.0.3 and Firefox ESR 38.1.1. Any older versions are still affected.
The vulnerability allowed the attacker to bypass the same origin policy of the built-in PDF viewer and leverage the software’s own technology to gain access to victims’ files.
Unlike most attacks, which only target specific data sets such as credit card info, bank info, or login credentials —this attack’s purpose was to cast a much wider net. While it scraped files typically associated with financial and password info, it also looked to extract data typically stored by information security and application development professionals, such as:
- FTP credentials (FileZilla, SmartFTP, etc)
- IT security professionals and security hobbyists (*pentest*.txt stolen, *vuln*.txt, *hack*.txt)
- Sysadmins, and anyone with remote server access (ssh keys, remote desktop viewer apps, ftp, *database*.txt)
- Financial data (*btc*.txt, bill.txt, *balance*.txt, *billing*.txt)
- Personal contact data (contacts.txt)
- Russian speakers and those using Russian-language operating systems (Russian file/directory names)
The files intended to be stolen will inevitably lead to much further damage, allowing the attacker to gain access to servers and possibly spread more malware from every server the affected user had access to, using stolen keys that had a weak passphrase, or none at all.
Interestingly, the stolen data was routed via a URL that was reminiscent of a URL associated with ad serving infrastructure. If this is truly ad serving infrastructure being used as a data collection point, it would be unique. Typically the malvertising attacks we observe rely on attacker-controlled infrastructure to capture data. Ad serving infrastructure collects data as part of its normal functionality, so the extraction behavior is less anomalous.
In 2015, RiskIQ detected a 260% increase in malvertisements over 2014. Malvertising creates far less collateral damage than its SPAM and botnet cousins and it's difficult to detect because ads appear and disappear in seconds. The full impact of malvertising on society is still largely unknown. However, exploits like this one may be firing off around the web as we speak— leveraging zero-days quietly and at scale.
This is further proof that malvertising is quickly becoming a preferred cyber threat vector. While the majority of headlines are grabbed by sophisticated APT attacks where a single entity was breached, cyber criminals are dramatically increasing their ability to scale attacks and lower cost with targeted ads. Read more about the growth of malicious digital ads here.