New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Tag Barnakle Malvertisting Ramps Up to Millions of Users

Researchers at Confiant published updated information regarding a threat group they have labelled Tag Barnakle. This group specializes in compromising Revive Adserver instances in order to distribute millions of malvertisements, which are ads with embedded malicious javascript. These ads perform actions such as exploiting vulnerabilities on an end user’s computer or attempting to get an end user to install a malicious application. Confiant’s estimate of compromised Revive servers exceeds 120. This is double the number of estimated infected servers from the prior year. Due to the nature of how advertisements propagate online, this means millions of devices are currently exposed to this attack. Tag Barnakle utilizes tactics that selectively target vulnerable devices and attempt to install second stage malware when possible. Propeller Ads, one of the largest Internet advertising networks, has commented that they are an intermediary and are not responsible for the advertisements propagated through their network.


Analyst Notes

Theoretically, it would be ideal to blacklist advertising servers at the network perimeter via a firewall deny list or similar option. In practice, this is often not feasible due to the business requirements of end users. However, segmenting users by use case and disabling javascript if not required is another recommendation. In practice, ensuring that browsers and underlying frameworks such as javascript are updated regularly through an effective vulnerability management program, as well as ensuring that a robust post-exploitation detection solution is in place may be the best achievable mitigation of such attack vectors.