Blackhole Foiled at Global Law Firm

The Network: A law firm with 14 offices worldwide. Their team is supplemented by EventTracker SIEM on a 24/7 basis.

The Expectation: Robust and up-to-date (anti-virus, next-gen firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary.

The Catch: EventTracker SOC analysts observed suspicious network traffic that matched patterns from the Blackhole exploit kit, one of the most prevalent web threats. Its purpose is to deliver a malicious payload to a victim’s computer. The majority of infections due to this exploit kit are done in a series of high volume spam runs. Blackhole incorporates tracking mechanisms so that people maintaining the malware know considerable information about the victims, including the victim’s country, operating system, browser and which piece of software on the victim’s computer was exploited.

The Find: A large number of connections from a desktop inside one of the locations was observed — many of these connections were to IP Addresses with poor reputation. Simultaneously, the desktop was observed to be using unusually high amounts of memory, attributed to iexplore.exe. These are indicators of compromise.

The Fix:The analyst immediately notified the customer’s IT team to check this desktop for vulnerable plugins (Adobe) to the Chrome browser. The onsite IT team confirmed that the plugins were vulnerable and quickly removed them from the user’s desktop.

The Lesson: Ensure that the browser’s plugins and operating system are up-to-date since Blackhole targets vulnerabilities in old versions of browsers such as Firefox, Google Chrome, Internet Explorer and Safari, as well as many popular plugins such as Adobe Flash, Adobe Acrobat and Java. Blackhole is polymorphic, so traditional antivirus signatures will lag behind the automated generation of new variants. SIEMphonic defends against new variants.