Exploit Caused by a Vulnerable Browser Plugin

The Network: Global fine dining company that operates in over 160 countries.

The Expectation: Patch management processes and regular network scans were in place with server hardening procedures. However, at times some updates were overlooked.

The Catch: EventTracker analysts were able to detect Adobe software on a terminal server with a suspicious vulnerable plugin (DOM XSS vulnerability using Blackhole/Cool exploit kits). This plugin was observed in multiple profiles on the terminal server.

This extension was installed as part of an official update of Adobe Acrobat Reader DC from January 2017. Also, this extension has been known to request the following permissions:

  • Read and change all your data on the websites you visit
  • Manage your downloads
  • Communicate with cooperating native applications

Blackhole/Cool exploit kits target a range of client vulnerabilities, with emphasis on vulnerabilities in Adobe Reader, Adobe Flash and Java. The user’s browser loads code served up from what we call the ‘landing page’ of the exploit kit. The purpose of the landing page is straightforward:

  • Capture the parameter included in the URL used. This allows the exploit kit to correlate page requests to the specific individuals or groups responsible for redirecting the victim (for payment purposes).
  • Fingerprint the machine. The landing page used by the exploit kit uses code from the legitimate Plugin Detect library to identify:
    • OS
    • Browser (and browser version)
    • Adobe Flash version
    • Adobe Reader version
    • Java version
    • Load the various exploit components. Based on the information determined in the step above, the relevant exploit components (PDF, Flash, Java, etc.) are loaded.

The most prevalent payloads from the exploit kits can include:

  • Fake AV (scareware)
  • Zeus
  • TDSS rootkit
  • ZeroAccess rootkit
  • Ransomware

Note that there was no option to block this extension from installing on the system and the feature was not mentioned in the documentation.

The Find: The EventTracker analysts observed this exploit under a network Trojan alert in the EventTracker Intrusion Detection System. The analysts also found 350 network connections opened up in the span of 7 minutes. There were a bunch of bad IPs getting connected to the internal network, as well.  This information led the analysts to conclude that there was an exploit attempt made from outside the network.

The EventTracker features involved here were:

  • ET-IDS
  • EventTracker Logs
  • EventTracker NCM (Network Connections Monitoring)

The Fix: The client confirmed the existence of this vulnerable extension on the terminal server for various profiles. The customer immediately uninstalled the vulnerable Adobe plugin to prevent damage. If left as-is, it would have allowed the bad players to steal insider information, including customer records. A scan was performed on the server and the IPs were blocked on the firewall.

The Lesson: AV, software patching and network scanners are available in most of the infrastructure, but it is imperative to have an additional level of logging and analysis to find vulnerabilities that go unnoticed in these traditional controls.