Exploit Caused by a Vulnerable Browser Plugin

The Network: Global fine dining company that operates in over 160 countries.

The Expectation: Patch management processes and regular network scans were in place with server hardening procedures. However, at times some vulnerability patches were overlooked, creating cybersecurity gaps that hackers can exploit.

The Catch: Netsurion’s analysts were able to detect Adobe software on a terminal server with a suspicious vulnerable plugin (DOM XSS vulnerability using Blackhole/Cool exploit kits). This plugin was observed in multiple profiles on the terminal server.

Blackhole/Cool exploit kits target a range of client vulnerabilities, with emphasis on vulnerabilities in Adobe Reader, Adobe Flash, and Java. The user’s browser loads code served up from what we call the ‘landing page’ of the exploit kit. The purpose of the landing page is straightforward:

  • Capture the parameter included in the URL used. This allows the exploit kit to correlate page requests to the specific individuals or groups responsible for redirecting the victim (for payment purposes).
  • Fingerprint the machine. The landing page used by the exploit kit uses code from the legitimate Plugin Detect library to identify:
    • OS
    • Browser (and browser version)
    • Adobe Flash version
    • Adobe Reader version
    • Java version
    • Load the various exploit components. Based on the information determined in the step above, the relevant exploit components (PDF, Flash, Java, etc.) are loaded.

The most prevalent payloads from the exploit kits can include:

  • Fake Anti-Virus (scareware)
  • Zeus
  • TDSS rootkit
  • ZeroAccess rootkit
  • Ransomware

Note that there was no option to block this extension from installing on the system and the feature was not mentioned in the documentation.

The Find: Netsurion’s SOC analysts observed this exploit under a network Trojan alert in the Netsurion Intrusion Detection System (IDS). Our cybersecurity analysts also found 350 network connections opened up in the span of 7 minutes. There were numerous bad IP addresses getting connected to the internal network, as well.  This information led the analysts to conclude that there was an exploit attempt made from outside the network.

The Fix: The client confirmed the existence of this vulnerable extension on the terminal server for various profiles. The customer immediately uninstalled the vulnerable Adobe plugin to prevent damage. If left as-is, it would have allowed the cyber criminals to steal insider information, including customer records. A scan was performed on the server and the suspicious IP addresses were blocked on the firewall.

The Lesson: Anti-Virus, software patching, and network scanners are available in most of the infrastructure, but it is imperative to have 24/7/365 SOC monitoring and detection to find vulnerabilities that go unnoticed in these traditional controls.