Blog
The drive-by compromise attack was in the top-eight cyberattack tactic list recently compiled by security experts (as reported by CIO News.) Amid a spike in drive-by compromise attacks, MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework curated a repository of attack behaviours and defence mechanisms for organizations to follow.
This article will explore drive-by compromise attack, how it works, and various preventive measures enterprises should take against them.
What is a Drive-By Compromise Attack?
Drive-by compromise is a cyber attack technique wherein users unwittingly download malicious programs to their computers or mobile devices. To successfully carry out this attack, cybercriminals exploit vulnerabilities in a website or web application to install malware that gets downloaded when users click certain links.
The drive-by compromise attack also happens if the victim visits a compromised website where every link downloads malware. Cybercriminals mainly exploit unidentified vulnerabilities, known as zero-day vulnerabilities, to plot drive-by compromise attacks.
In an interview with Business Standard, Vishak Raman—VP of SAARC and Southeast Asia Fortinet—reported, "In the second half of 2022 and going into 2023, drive-by compromise topped the list as the most common malware delivery approach. This method involves attackers accessing victims' systems while browsing online."
Another method to carry out the attack is by persuading users to enable browser script (JavaScript) or install third-party plugins as soon as they enter the compromised website. It is often difficult for security professionals to detect these attacks or to identify which link is infected. However, a safeguard is available in the form of the MITRE ATT&CK framework, which has curated a repository of various cyberattack behaviours and defensive measures. It offers security professionals a cyberattack knowledge repository to achieve their tactical goals.
How Do Drive-By Downloads Work?
The drive-by download attack targets a specific group of victims. Mostly, they are government websites, app users, or business app users. The attackers' motive is to compromise a system to make them a part of the botnet or cause reputational damage to the organization. Let us now understand how it works.
The cybercriminal will exploit a vulnerable website or websites having zero-day vulnerability.
They will host malicious content or attach malware programs to some commonly visited links of that website.
The attackers will design the drive-by compromise attack to persuade all visitors or users to enable the browser script or install third-party extensions.
The malware gets automatically downloaded to compromise the victim's system. The other way is where the malicious script attached to the website scans the visitor's browser for vulnerabilities.
Based on the logic of the malware program or script, it will exploit the user's browser or system.
Once the script successfully runs on the victim's system, it will enable Remote Code Execution (RCE) on the target machine. RCE allows cybercriminals to execute arbitrary code or commands on a remote system.
How Can You Detect Drive-By Compromise Attacks?
Although detecting drive-by compromise attacks is difficult, enterprises use automated detection tools and manual techniques to identify them.
Antivirus and anti-malware: Antivirus and anti-malware solutions are effective ways to identify and block malware. Internet antivirus solutions are an effective way to detect process injection or any abnormal browser processes.
Browser redirects: Browser redirection without your consent is a tell-tale sign of a drive-by compromise attack.
Wireless Application Firewalls: These firewalls can recognize known bad domains or malicious parameters within an organization's URL. These solutions block malicious links automatically.
Browser settings: If the browser setting changes without your involvement or approval, you may have become a victim of the drive-by compromise attack.
Intrusion Detection Systems (IDS): Some IDSs perform SSL/TLS attack assessments and notify the security engineer or the website admin. They can also detect malicious scripts and browser script misuses.
Preventive measures against drive-by compromise
Employees keep web browsers and applications up-to-date.
Enterprises can implement application isolation, remote browser isolation, and sandboxing techniques to isolate malware in a contained environment.
Enterprises should use exploit protection other than antivirus and IDS. Tools like the Enhanced Mitigation Experience Toolkit (EMET) & Windows Defender Exploit-Guard can help notify exploitation activities.
Restricting or filtering the web content through firewalls and ad-blockers can limit malicious script execution.
Users should carefully read security pop-ups and web links before clicking.
Enterprises can also contact security specialists for expert guidance against drive-by compromise attacks.
Conclusion
This article provided a crisp idea of what drive-by compromise is and how it works. It also highlighted the detection and preventive measures against this attack. Although complete security against this attack isn't possible, enterprises can take precautions against drive-by attacks through certain best practices.
To learn about drive-by compromise attacks and the best practices, contact our team here at Packetlabs today.
Have Questions? Need a Quote?
Contact our team today to see how we can help improve your security posture. Get a no-obligation quote and a copy of our sample report to help you get started.