Microsoft Silverlight platform, has now become a popular target for cybercriminals, as public awareness of Java and Flash flaws is increasing.
Silverlight is a Microsoft’s plug-in for streaming media on browsers, similar to Adobe Flash Player, that handles multimedia contents on Microsoft Windows and Mac OS X Web Browsers, and is popularly known for being used in Netflix’s streaming video service.
But, Netflix isn't the only service that works on Silverlight, many other multimedia services supports Silverlight.
Malware and Exploit Kit developers are targeting Silverlight users as they aren't aware of the increasing proliferation of malware for the platform. Silverlight vulnerabilities are mostly exploited using drive-by download attacks to compromise victim’s computers with malware, especially through malicious ads.
A recent Angler Exploit Campaign has been spotted by the Cisco researcher spiked since April 23, targeting Microsoft’s Silverlight by imposing the exploits on the infected systems. The Exploit Kit in this campaign also hosts exploits for Flash and Java, but it doesn't trigger them, which at a time was one of the widely targeted platform by the exploit kits developers.
"Exploit kit owners are adding Silverlight to their update releases, and since 23 April we have observed substantial traffic - often from malvertising - being driven to Angler instances partially using Silverlight exploits," said Gundert, the lead threat researcher at Cisco.
The cyber criminals are infiltrating the Advertising Networks with malvertising to redirect victims to the hundreds of malicious websites hosting the Angler Exploit Kit, where the actual attack comes into play by silently launching Silverlight exploits against the infected system.
Till now, The Exploit Kit (EK) developers were targeting the vulnerabilities in Adobe Flash and Oracle Java, but as the public awareness and pathing efforts of both the two firms has increased, the malware developers have switched to the Microsoft’s Silverlight.
“Java and Flash have been heavily exploited over the years, and vendors are getting good at writing engines that detect vulnerabilities in those libraries,” said the Cisco researcher Craig Williams. “Silverlight has not been exploited much. There are some limited CVEs, but few are widespread. What we may be seeing here is a tipping point where Java exploits are being detected and what other formats can hackers take advantage of.”
Levi Gundert , Technical lead at Cisco Threat Research observed that the Angler campaign exploits two known Silverlight vulnerabilities i.e.
- CVE-2013-0074 - which gives attackers the ability to remotely execute malicious code
- CVE-2013-3896 - it allows to bypass Data Execution Prevention (DEP), a security mitigation added to most Microsoft applications.
"We should expect these existing Silverlight exploits to proliferate through other exploit pack families in the near future as threat actors copy code from each other and release updates," Gundert wrote.
"Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft’s life cycle schedule suggests Silverlight 5 will be supported through October, 2021."
The security firm didn't expose the names of compromised websites serving the exploit kit. The Angler exploit kit managers were expected to be of the same group that was behind the infamous Reveton ransomware.