Full Report
AOL has taken steps to stop a set of malicious advertisements being served through their sites, including The Huffington Post, Computer Business Review reports.
Analysis Summary
# Incident Report: Malvertising Campaign Distributing Kovter Trojan via AOL Ad Network
## Executive Summary
A significant malvertising campaign exploited AOL's advertising platform to serve malicious advertisements across several high-profile websites, including The Huffington Post (US/Canadian versions). The attack successfully redirected users through multiple encrypted hops, leading to a drive-by download of the Kovter trojan via an exploit kit targeting a Flash vulnerability. AOL ultimately blocked the malicious advertisements after the initial compromise.
## Incident Details
- Discovery Date: Undisclosed, but affected ads appeared as of December 31 (implied detection shortly after).
- Incident Date: On or around December 31, 2014.
- Affected Organization: AOL (and its advertising partners/platforms).
- Sector: Media/Technology.
- Geography: Affecting American and Canadian site versions.
## Timeline of Events
### Initial Access
- Date/Time: On or around December 31, 2014.
- Vector: Malicious Advertisements (Malvertising).
- Details: Malicious ads were served through AOL's advertising platform onto sites like The Huffington Post, Weatherbug, Houston Press, and Mandatory.
### Lateral Movement
- Not explicitly detailed, as the attack appeared focused on endpoint compromise via drive-by download.
### Data Exfiltration/Impact
- Impact: Successful delivery of the Win32/Kovter trojan to affected users' endpoints via an exploit kit leveraging a Flash vulnerability.
### Detection & Response
- Detection: Discovery of malicious advertisements and subsequent redirection chain.
- Response actions taken: AOL took steps to stop the set of malicious advertisements from being served across their network.
## Attack Methodology
- Initial Access: Malvertising via compromised ad network.
- Persistence: Not detailed for the ad network, but Kovter often establishes local persistence.
- Privilege Escalation: Not specified, but often implicit when exploiting OS/Application vulnerabilities.
- Defense Evasion: Use of a series of redirectors, some utilizing HTTPS encryption (one hosted on Google Apps Engine) to obscure the final exploit server.
- Credential Access: Not specified, common goal of malware delivered, but not the primary focus listed.
- Discovery: Attackers identified vulnerable Flash components on end-user systems.
- Lateral Movement: Not specified.
- Collection: Not specified (as the focus was on malware deployment).
- Exfiltration: Not specified.
- Impact: Delivery of Win32/Kovter trojan via drive-by attack.
## Impact Assessment
- Financial: Not quantified, but AOL confirmed prior similar attacks leveraged CryptoWall which made hackers ~$25,000/day.
- Data Breach: Endpoint compromise via trojan installation (Kovter).
- Operational: Potential disruption for users visiting affected sites due to drive-by downloads.
- Reputational: Negative impact related to the security of the ad platform and sites like The Huffington Post.
## Indicators of Compromise
- Network indicators (defanged):
- Final exploit kit host domain ended in `.pl` (Poland TLD).
- Use of multiple HTTPS redirectors, including one hosted on a Google Apps Engine page.
- File indicators:
- Win32/Kovter trojan.
- Behavioral indicators:
- Drive-by download attack exploiting a Flash vulnerability.
## Response Actions
- Containment measures: Blocking/removing the specific malicious advertisements from the AOL advertising network.
- Eradication steps: Not detailed for end-user remediation, focus was on platform-level blocking.
- Recovery actions: AOL committed to improving transparency and ensuring ads meet quality standards.
## Lessons Learned
- Key takeaways: Malvertising remains a potent vector, capable of bypassing standard ad vetting processes. Attackers use complex chaining (multiple redirects, HTTPS) to obscure the source of the exploit kit.
- What could have been done better: Improving real-time threat intelligence and vetting within the ad serving platform to prevent known vectors or obfuscation techniques.
## Recommendations
- Implement rigorous, real-time scanning and vetting processes for all creatives served through the advertising platform, specifically looking for obfuscated redirection chains.
- Enhance detection mechanisms for known zero-day or N-day vulnerabilities in common plugins like Adobe Flash.
- Investigate options to reduce reliance on or strictly audit third-party ad networks known for serving malicious content.