Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/15/2014
11:00 AM
Peter Zavlaris
Peter Zavlaris
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Third-Party Code: Fertile Ground For Malware

How big-brand corporate websites are becoming a popular method for mass distribution of exploit kits on vulnerable computers.

Modern websites rely on many moving parts operating behind the scenes, which often include a mashup of Javascript, content, files, applications, and digital ads. Some of this code may be written by website owners, while the rest of the content can be any combination of resources called in from different locations on the Internet and under the control of third-party organizations.

The problem with remotely called third-party code is that it is only activated on a visitor's web browser and, as such, bypasses the site's web server where most security measures are implemented. If the remote host is compromised, the third-party code can be manipulated into serving up malware on any site accessing it -- totally unbeknownst to the website operator.

Depending on the goals of the attacker, the malware could be used to gain entry into a corporate network. Often, compromised websites are turned into a malware delivery agent infecting thousands if not millions of unsuspecting site visitors.

RiskIQ was recently involved in the discovery and disclosure of real-life example of this type of infection. Our researchers discovered RIG exploit kit embedded on an important and highly trafficked website. The culprit was a fake URL embedded on the website by a script tag call to a third-party resource. We suspect that RIG was designed to install data-stealing malware on jQuery users' computers, because these individuals -- typically web developers and systems administrators -- have high-level access credentials.

This made us curious as to how prevalent the usage of third-party code is on the public Internet. Adam Hunt, RiskIQ's resident data scientist, commissioned a study, and for this blog he's offered an excerpt of the data and some of his methods.

The purpose of this study was to quantify the number of libraries on a given domain, the number of third-party hosted resources (jQuery locally rather than hosted on a CDN), and the number of other hosts/domains/organizations that use that resource. Explains Hunt in the research:

In order to run this test we intentionally distributed the data collected from RiskIQ’s web crawling infrastructure across many computers due to the size of the dataset (3 to 5 TB per day). We used a custom built resilient distributed dataset (RDD) designed to read our RiskIQ custom data structures (data collected every day from all over the web). We used Apache Spark to query and pivot on a fraction of this data.

In a sample of over 2.5 million unique URLs collected over an 8-hour period, we aggregated the number of times javascript was retrieved from a third party. We discovered that roughly 70% of these URLs were running third party JavaScript via script tags being retrieved from one or more outside sources. Of the 295,000 unique hosts from that sample, we observed that 90% retrieved a remote resource. Examples of these resources would be: Google Analytics, Twitter, Pinterest, the Facebook like button, etc.

Ostensibly, there's nothing wrong with using third-party resources to operate a website. For instance, just because a resource is pulled in from a remote domain doesn't mean it’s malicious. In fact, the majority of domains belong to well known third-party hosting providers, cloud providers, CDNs, and third-party code libraries.

The real concern is the need to rely on and trust the efficacy of the security measures implemented by third parties. Since external resources have become essential for serving up most websites, this is a risk most organizations are willing to accept.

Traditionally, spam has been the preferred method of malware distribution. However, spam filtering and email security has been steadily improving over the years. Consequently, it appears big-brand corporate websites are becoming a more popular method for mass distribution of exploit kits capable of installing dangerous malware such as Trojan, Spyware, etc., on vulnerable computers.

RIG and Angler Exploit Kits have become more prevalent in recent years and are some of the most virulent on the black market. In a separate study using threat intelligence data from our global blacklist feed, since June 1, 2014, we've observed exploit kits RIG and Angler appearing on more than 30 unique domains within the Alexa Top 1000 most popular website list. These sites are controlled by some of the largest and most powerful brands in the world, almost all of them infected by an exploited third-party resource running on their sites.

The jQuery hack illustrates the massive reach of third-party resource infections. According to reports on its website, literally tens of millions of websites pull from jQuery’s library, either directly via their sites or via their CDNs. From our sample we observed more than 800,000 URLs pulling in jQuery directly, while roughly 375,000 retrieve jQuery from a different domain. All it would take is for the breach we discovered to make its way to the code library or the CDN, and any website pulling code from jQuery could be infected. This could result in massive malware distribution.

Clearly, third-party website resources and code play an integral role in the online economy. They enable interactive sites that allow people to transact with their banks; buy medical insurance; watch movies or television; share photos, videos, and documents; and so on.

Unfortunately, these resources also represent exploitable infrastructure that is outside the control of an organization's IT security team. Addressing this emerging challenge requires looking at security from a new perspective, since it is not under the purview of traditional information security practices. In the meantime, it remains fertile ground for launching attacks and distributing malware.

Peter Zavlaris is one of the primary analysts and contributors to the RiskIQ blog, which provides weekly insights on the latest threats and attacks that target companies outside the firewall and put customers at risk. He has held various customer satisfaction positions with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PZav
50%
50%
PZav,
User Rank: Author
10/20/2014 | 12:14:49 PM
Re: You're only as secure as your weakest point
Thanks Marylin, its a pleasure to be able to share this type of information on Dark Reading. We have a lot of respect for the quality of content and the level of reporting on this website.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 9:06:30 AM
Re: You're only as secure as your weakest point
I'm constantly amazed at all the various hidden (and surprising) risks that researchers uncover daily! Thanks for lifting the veil on this one, Peter.

 
PZav
50%
50%
PZav,
User Rank: Author
10/16/2014 | 5:10:40 PM
Re: You're only as secure as your weakest point
Good questions btw!
PZav
50%
50%
PZav,
User Rank: Author
10/16/2014 | 5:10:09 PM
Re: You're only as secure as your weakest point
Hello Marilyn, Adam ran the study and I had him offer up some numbers for this article. I'm not certain if he was surprised or not. I thought in particular the fact that 90% of hosts in our sample were pulling in one or more third party resources was surprising. However, when you consider how many organizations run analtics on their sites either for lead gen purposes, social media marketing, display marketing, etc. its probably not all that surprising.

Its definitely disconcerting from a security perspective as all of us in the industry are learning how susceptable any organization is to a breach. There isn't a whole lot of conversation about the risks to site visitors when third party client side code being served up in the browser is hacked. We think that's an area of risk that remains largely hidden to most website operators.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/16/2014 | 3:25:48 PM
Re: You're only as secure as your weakest point
Peter, you said that the purpose of the study was to quantify the number of libraries on a given domain, third-party hosted resources & find out how many other hosts/domains/organizations that use that resource. Were you surprised at the results? What were you expecting to find out? 
PZav
50%
50%
PZav,
User Rank: Author
10/16/2014 | 2:53:32 PM
Re: You're only as secure as your weakest point
Agreed, although for our purposes we'd like to address this problem from an enterprise standpoint. In other words, help security folks within enterprise IT monitor their websites and mobile applicaitons for malicious third party code injected into their websites. As well as help them "keep other departments honest" when producing web and mobile properties.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
10/16/2014 | 8:15:15 AM
You're only as secure as your weakest point
This goes for all sorts of digital security. On a personal level, if you have one weak passowrd, it's possible someone could extrapolate enough information from that account to social engineer your other ones. That of course works both ways too, with one company with poor security making everything else about you vulnerable. 

I think some of the public apathy for this type of problem though comes from how integrated a lot of the web is. Almost every site that has user interaction now lets you login with your Facebook details. While handy, that creates a climate of signing in with your details on a site you haven't signed up for and may have never visited. 

That makes it much easier for phishing, malware attacks and all sorts of other security problems, because our guard is slowly dropping. 
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.