Friday 5 October 12:00 - 12:30, Green room
Jérôme Segura (Malwarebytes)
The online threat landscape has changed dramatically over the past year with the decline in exploit kit activity. Faced with a shift in browser market share and built-in exploit protection, attackers have had to resort to other techniques to turn a quick profit.
In this session, we will present a quick review of the decline in exploit kit activity which started with the death of Angler EK, an infamous and advanced toolkit to distribute malware via exploits. In the following months, there was a domino-like effect with several high-profile actors disappearing from the public scene completely or going private. Interestingly, many distribution campaigns via hacked websites also took a hit, either vanishing or being repurposed for social engineering attacks instead. Something similar happened with malvertising, which continued unabated but diversified into various scams instead.
There are various factors that contributed to this decline. For starters, the vulnerabilities used by these exploit kits started to age quite rapidly and were less effective against a newer operating system with auto-updates and exploit mitigation baked in. At the same time, the market share for Internet Explorer (the primary targeted browser) continued its rapid descent while Google Chrome became the unchallenged number one.
Separately, cryptocurrencies have soared dramatically in the past year, driven by the exponential rise in Bitcoin value observed by everyone with great interest. In addition, new forms of cryptocurrency, such as Monero, have gained rapid momentum and have become popular for their low system requirements. Indeed, you no longer need to possess a powerful rig in order to mine for coins - any average PC can now participate as well. This was an interesting development because it opened the door to mining by the masses and in ways rarely explored before.
However, online criminals keep coming up with new evasion techniques by using obfuscated code, proxies and clever social engineering tricks, all designed to keep users in the dark while their machines are - more or less silently - mining for the latest and hottest coins.
We conclude this talk by taking a look ahead at what is expected to be a long cat and mouse battle for as long as the value of cryptocurrencies remains high.
Jérôme Segura has over 10 years' experience in the field of information security with a strong focus on web threats (exploit kits, malvertising, malicious cryptomining) and online fraud (ad/click fraud, scams). He is passionate about identifying new infection vectors or schemes and taking them apart in technical, yet accessible writeups.
During his spare time, he enjoys the simple joys of nature, wine and cheese.
Masashi Nishihata (Citizen Lab)
John Scott Railton (Citizen Lab)
Peter Kalnai (ESET)
Michal Poslusny (ESET)
Joe Slowik (Dragos)