Malvertising Attack Matrix

A project by

Confiant

[C400] Browser Exploitation

Tactic Description: Multiple exploits have been uncovered over the years that have been issued CVEs, originally as a result of activity from Malvertisers. Malvertisers will typically exploit browser built-in security features to execute code that should be restricted. Typically Malvertising browser exploits are related to the rendering of a page like bypassing built-in browser pop-up protection or bypassing iframe sandboxes, allowing Malvertisers to redirect the victim to other malicious resources controlled by them.

[C401] By-pass Popup Blocker

Technique Description: Popup Blocker bypass are browser exploits that circumvent the browser's built in pop-up protection. Multiple exploits have been uncovered over the years that have been issued CVEs, originally as a result of activity from Malvertisers.

Procedure example: Malvertiser eGobbler exploits chrome webkit bugs 0-day CVE-2019–5840 infecting over 1 billion ads

References [Chromium] CVE-2019-5840 - Threat Actor: eGobbler - Pop-Up blocker bypass via race condition: https://bugs.chromium.org/p/chromium/issues/detail?id=951782#c27
[Confiant] Malvertiser egobbler exploits chrome webkit bugs infects over 1 billion ads: https://blog.confiant.com/malvertiser-egobbler-exploits-chrome-webkit-bugs-infects-over-1-billion-ads-6b8ccc41b0e6

[C402] Same Origin Policy Bypass

Technique Description: CORS is a set of HTTP Header based security controls that allow developers to specify certain exemptions to the Same-Origin-Policy which is enforced by web browsers. CORS bypasses allow attackers to access resources from origins that should be off limits. This category of bugs, exploits, and vulnerabilities are closely related to iframe sandboxing bypasses.

Procedure example: exploiting cors misconfigurations for bitcoin and bounties

References [portswigger] Exploiting cors misconfigurations for bitcoin and bounties: https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
[inputzero] Samsung interent browser sop bypass: https://www.inputzero.io/p/samsung-interent-browser-sop-bypass-cve.html

[C403] Iframe Sandboxing bypass

Technique Description: Iframe Sandbox bypass are exploits that circumvent iframe sandbox attribute parameters, typically the "allow-top-navigation-by-user-activation" parameter.

Procedure example: Malvertiser ScamClub Bypasses Iframe Sandboxing With postMessage() Shenanigans CVE-2021–1801.

References [mitre] CVE-2019-19788: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19788
[mozilla] CVE-2021-23957 Threat Actor: Zirconium: https://bugzilla.mozilla.org/show_bug.cgi?id=1584582
[opera] bypass a restriction in Opera 54: https://security.opera.com/bypass-a-restriction-in-ofa-54-opera-security-advisories
[chromium] CVE-2021-1801 Threat Actor: ScamClub: https://bugs.chromium.org/p/chromium/issues/detail?id=1098582
[threatpost] camclub campaign targeting Safari browser: https://threatpost.com/safari-browser-scamclub-campaign-revealed/164023

[C404] Logic flaw

Technique Description: Logic flaws are bugs that exploitable due to application or business logic failures in businesses or applications. The bugs being exploited might still be highly technical in nature, but are often introduced in a high level capacity instead of low-level code vulnerabilities like integer overflows, buffer overflows, etc.

Procedure example: eGobbler leveraged browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.

References [Confiant] CVE-2019-8771 Threat Actor: eGobbler: https://blog.confiant.com/malvertiser-egobbler-exploits-chrome-webkit-bugs-infects-over-1-billion-ads-6b8ccc41b0e6