Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Surprise, Surprise, Angler EK Has a New Angle

Posted by Shelley Leveson on June 8, 2016
Find me on:

Angler_EK_blog_img.jpg

The recent FireEye discovery of an Angler Exploit Kit variant that bypasses Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) has taken the cyber security world by surprise – but it shouldn’t have. New variants of the Angler EK crop up constantly (see Javascript in IE Overtakes Flash as Number One Target for Angler Exploit Kit) and EMET was never meant to be infallible, just make it more difficult for hackers. EMET, which uses a set of predefined rules to prevent specific malware, is often relied upon to stop zero-day attacks on Windows systems until a patch is developed for the vulnerability. Although researchers have previously discovered vulnerabilities that allowed them to bypass EMET defenses, this is the first time an exploit in the wild has been successful.

This new variant essentially turns Windows 7 users, still 49 percent (!) of Windows users, into defenseless targets for the next ransomware wave. Already, the Angler Exploit Kit is the preferred weapon of hackers to deliver their malware. This time the payload was TeslaCrypt Ransomware, but there is no limit to what payload can be delivered.

Morphisec VP R&D Michael Gorelik sees more exploits ahead, “I predict that with this vulnerability, the prominence of Angler will only increase. Based on details from FireEye’s research, it would take very little to implement the same bypass on Microsoft Windows 8, 8.1 and 10. I foresee that the same web attacks with light modification will soon target more advanced OS's, not only through browsers but also documents containing 3rd party plugins like Flash."

What can you do?

First of all, companies must understand that running EMET doesn’t mean they can delay patching frequently attacked programs. Unfortunately, ad-hoc patching is not practical for most enterprises. Removing ActiveX plugins like Flash or Silverlight will address this particular exploit variant, although won’t protect against other possible vectors of attacks, such as a document-based attack using Flash. The only known solutions to actually prevent such attacks are those that apply Moving Target Defense (MTD) concepts to conceal application vulnerabilities and block web-based and in-memory attacks.

The constantly growing sophistication of advanced attacks and the vectors used are the impetus behind Morphisec’s MOVING TARGET DEFENSE technology. It’s effectiveness in automatically blocking this new version of Angler EK proves our approach right.


If you are interested in learning more about the differences between EMET and Morphisec's Moving Target Defense, please download our EMET FACTSHEET.

Note: For this specific attack, TeslaCrypt master key might help to decrypt the files - http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/.

New Call-to-action