Threat Research

Malvertising, Input Validation, and New IoT Botnet Variants

By Anthony Giandomenico | July 27, 2018

What do malvertising, input validation, and new IoT botnet variants have in common? Well, they’re all part of our Weekly Threat Intelligence Brief this week.

Ever since the source code of the Mirai botnet was leaked a few years ago, IoT threats have continued to advance—and this week was no exception. As a matter of fact, three of our top five exploits all targeted IoT devices. And if you’re wondering if we have cryptomining threats listed this week as well, there is no need to worry as a new malware campaign called Luoxk was discovered dropping a bunch of threats, including cryptojacking.

I promise! I did not click on anything?

Many computer users today still think they have to click on a file or a linkg to be infected with malware, but that’s simply not the case—especially with a delivery technique called malvertising. The bad guys can build the world’s greatest malware, but if they can’t figure out how to deliver it to your device, it’s useless. Fortunately for the bad guys, there are many ways for them to deliver their malicious payload—from phishing emails, to infecting legitimate websites with malicious scripts, to a more efficient technique called malvertising.

Malvertising takes advantage of the fact that most websites today pull advertisements from multiple Ad servers. If the bad guys can infect the Ad server, their malware will be delivered to thousands of websites that are serving up that specific Ad. This means that anyone connecting to a site which includes that Ad—even without clicking on anything—will get infected. Usually, a malicious script will redirect the user to the attacker’s server where other malware or exploits are then downloaded. A great example of this is the banking trojan called Kronos. It’s been around for a few years, but it once again made our list of emerging threats for the week.

Make sure that input is clean! 

The increased focus on cybersecurity these days is primarily due to applications being written without security in mind, which creates vulnerabilities. For too many developers, security “is still an afterthought.” And of course, the digital transformation we are experiencing is just making things worse.

I remember talking about good secure coding practices almost 20 years ago, and fast forward to today and it’s still a relevant message. The good news is that application security has improved and there are many sites that provide you with information on best practices for writing secure code, one of which is the not-for-profit charitable organization, Open Web Application Security Project. They have a project call the OWASP Top 10 which is a list of the most critical web application security risks. One common security risk is the improper sanitation of input data. This weakness occurs when the developer fails to properly validate user input, which in turn can lead to many vulnerabilities, including buffer overflows, injections, and file system attacks.

IoT devices such as routers can also be susceptible to this, if they have what is called an input validation weakness, which we saw being actively exploited in the wild this past week. I strongly recommend keeping an eye out for these types of weaknesses in IoT devices, as I am sure you will see more as IoT manufacturers continue to sidestep good secure coding practices.


Want to hear more?

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.