How to Defeat Advanced Malware: New Tools for Protection and Forensics (2015)
Chapter 2. 2014 Endpoint Exploitation Trends
Before analyzing potential solutions, security teams tasked with protecting critical enterprise assets must track the shifting-attack landscape to understand key attack methods and targets. This chapter covers the growth in zero-day exploitation, and notable and emerging zero-day exploitation techniques.
Microsoft® Internet Explorer
Action Script Spray
Adobe Reader sandbox
address space layout randomization (ASLR)
data execution prevention (DEP)
Before analyzing potential solutions, security teams tasked with protecting critical enterprise assets must track the shifting attack landscape to understand key attack methods and targets. The Author, in conjunction with Bromium Labs, a team of security analysts with extensive experience in building innovative technologies to counter and defend against advanced attacks, studied key trends in the 2014 cyber-attack landscape. These latest trends are summarized below and should be factored into security planning in the coming months:
1. Microsoft® Internet Explorer set a record high for reported vulnerabilities in the first half of 2014.
2. Microsoft Internet Explorer also leads in publicly reported exploits.
3. Web browser release cycles are becoming more frequent – as are initial security patches.
4. Adobe Flash is the primary browser plugin being targeted by 2014 zero-day attacks.
5. New “Action Script Spray” techniques targeting Flash have been uncovered that exploit zero-day vulnerabilities.
2.1. Zero-day trends
In the first half of 2014, the growth in zero-day exploitation continued unabated from 2013. Unsurprisingly, all of the zero-day attacks targeted end-user applications such as browsers and applications such as Microsoft® Office. Typically these attacks were launched using classic spear-phishing tactics. Although Microsoft Internet Explorer was the most patched product on the market, it was also the most exploited, surpassing Oracle Java and Adobe Flash. Bromium Labs believes that Microsoft Internet Explorer will likely continue to be the target of choice going forward.
In comparison, Java had no reported zero-day exploitation in the first half of 2014.
Released in late 2013, Microsoft Internet Explorer 11 has seen a quick succession of security patches, compared to its predecessors. Bromium Labs analyzed the timelines for each Internet Explorer patch release and documented when the first critical patch became Generally Available (GA).
Internet Explorer release to patch timeline.
2.2. Notable zero-day exploitation techniques
Microsoft Internet Explorer
• Almost all Microsoft Internet Explorer memory corruption exploits now use de facto ROP (Return Oriented Programming) techniques for bypassing the default operating system security mechanisms (address space layout randomization (ASLR), data execution prevention (DEP)).
• Both the Microsoft Internet Explorer zero-day exploits leveraged “Action Script Spray” technique to bypass ASLR.
• Attackers were quick to leverage new features released in late 2013 to exploit ActionScript Virtual Machine ASVM implementation flaws using “Action Script Spray” techniques.
• Non-ASLR libraries continued to be the weakest link leveraged by malware authors to bypass OS protections.
Adobe Reader Sandbox Escape
• This vulnerability was uncovered late in 2013 and was finally patched in January 2014.
• Two vulnerabilities were used to bypass the Adobe Reader sandbox:
o CVE-2013-3346: Use-after-free vulnerability in Adobe Reader
o CVE-2013-5065: Kernel-mode zero day vulnerability NDProxy.sys
Adobe Flash Player and Recent Client Exploits
2010–2013 were clearly the years of Java exploits. Since then, a lot has changed: old versions of JRE are blocked by default, Java applets now require explicit activation from users resulting in this attack vector becoming harder to leverage. In response to increased defense deployed by security vendors and software developers, attackers have switched to new plugins. In the past 6 months, Adobe Flash Player was seen to be abused leveraging two attack vectors:
• Exploiting ASVM vulnerabilities
• Abetting exploitation of IE UAF bugs
2.3. Emerging zero-day exploitation techniques
Action Script Virtual Machine Attacks
In 2014, there were three severe vulnerabilities that were detected in live attacks. Unlike Java, where in the main, malicious code leveraged JRE’s capabilities, Flash exploits require DEP and ASLR bypass for successful execution. The following table provides a summary of 2014 ASVM attacks.
Non-ASLR libraries of Flash Player
Double Free of AS3 Shared Object
Non-ASLR libraries of JRE 1.6 and 1.7 and MS Office 2007 and 2010, ROP chain is built relative to fixed offset
Heap overflow in compiled Shader
Dynamic ROP generation based on Action Script Spray
Unlike the first two exploits, CVE-2014-0515 used a relatively new technique to bypass ASLR allowing dynamic crafting of ROP chain called Action Script Spray. This technique was also seen in two IE exploits released in 2014.
ROP Bypass Using Action Script Spray
Both IE exploits released in 2014 (CVE-2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode. This technique leverages the way dense arrays are allocated in the endpoints memory.
If a vulnerability allows an attacker to control the size of a vector they could make it as big as the whole memory space and then search for the necessary API calls and ROP gadgets. The following picture illustrates an Action Script Spray attack.
If the whole process memory is accessible, an attacker can now craft an ROP chain using ASVM capabilities and modify vtable with a pointer to the shellcode and trigger it.
The attack is more complex than a traditional heap spray, which indicates that cybercriminals are ready to invest more time and resources into development of new techniques in response to ever increasing protection measures. In addition to that, the prevalence of IE + Flash is much higher than IE + Java JRE, so this has provided attackers with a larger opportunity.