Summary
eSentire recently investigated an incident involving RIG Exploit Kit which was linked to a Reddit discussion post on Wimbledon. The victim was browsing /r/tennis and attempted to load several streaming links from the popular subreddit. Unfortunately, instead of streaming a tennis match, they were served up an exploit kit.
RIG Exploit Kit
The RIG Exploit Kit (EK) was a major player in 2017, seeing both widespread use and success. Arrests and coordinated takedowns almost completed halted the popularity of RIG EK. Operation Shadowfall was the name given to a coordinated effort by RSA, GoDaddy and several independent researchers that resulted in the dismantling of large portions of infrastructure associated with RIG EK in 2017 [1]. The RIG exploit kit has recently seen some resurgence and is relying on Flash and Internet Explorer vulnerabilities to deliver a variety of payloads [2].
The Reddit Connection
eSentire’s Security Operations Center was initially alerted to the exploit attempts from a RIG EK on 94[.]250[.]254[.]73. Once the event was triaged and contained, an investigation into the origin of the EK began. Root cause analysis revealed a series of web transactions – or referers – from the original site the user purposely visited to the page hosting the exploit kit. Analysis revealed that cricfree[.]cc was to blame, as it kicked off a series of redirects to the EK.
Reviewing packet capture data shows the user was on the Reddit Wimbledon discussion page when they clicked a link to cricfree[.]cc/tennis-live-streaming, which served a 302 redirect to mybetterdl[.]com.
[image src="/assets/Wimbledon1.png" id="2323" width="375" height="116" class="center ss-htmleditorfield-file image" title="Wimbledon1"]
This results in a few more 302 redirects:
[image src="/assets/Wimbledon2.png" id="2324" width="375" height="109" class="center ss-htmleditorfield-file image" title="Wimbledon2"]
Then another one, this time to makemoneyeasywith[.]me:
[image src="/assets/Wimbledon3.png" id="2325" width="375" height="119" class="center ss-htmleditorfield-file image" title="Wimbledon3"]
Finally we see RIG getting served:
[image src="/assets/Fimbledon4.png" id="2326" width="375" height="130" class="center ss-htmleditorfield-file image" title="Fimbledon4"]
Some quick Googling shows cricfree[.]cc appears in both threads but also the /r/tennis sidebar:
[image src="/assets/Wimbledon5.png" id="2329" width="375" height="356" class="center ss-htmleditorfield-file image" title="Wimbledon5"]
Exploring Reddit, we see the link is still live:
[image src="/assets/Wimbledon6-v2.png" id="2330" width="400" height="284" class="center ss-htmleditorfield-file image" title="Wimbledon6 v2"]
Finally viewing the Wimbledon discussion thread, it’s easy to see how the victim accessed the supposed streaming link:
[image src="/assets/Wimbledon7.png" id="2331" width="400" height="400" class="center ss-htmleditorfield-file image" title="Wimbledon7"]
Implications for the Workplace, The Open Championship, and Other Sporting Events
Reddit has long been a source for sports fans to obtain access to pirated sports streams. While the r/tennis subreddit still has a link to the cricfree[.]cc in its sidebar, subreddits that focus on providing illegal streams such as r/soccerstreams and /nbastreams have recently been banned from the site.
These Reddit bans however, have not made illegal streaming disappear. As an example, this week, The Open Championship (aka The Bristish Open) begins, and for people who want to watch one of golf’s four major tournaments, a quick Google search for “Golf Streams” reveals more than 39 million search results. Some of these results steer users to legitimate sites that are licensed to provide streams of PGA events (typically for a fee), but the vast majority of these results direct fans towards sites that host “free” illegal streams.
For these pirate streaming sites to be sustainable; they must be profitable. As a user, if you aren’t paying for a stream, it likely means that money being made off of you in some way, shape or form.
In most cases, that revenue would come from website forcing users to view web ads before (or while viewing a stream), but as demonstrated above, these websites could also be directing you to malware in hopes of monetizing your illegal streaming by exploiting your computer or your personal data.
For organizations with more lenient web access policies, the illegal streaming of sporting events that occur during core operational hours such as tennis or golf tournaments, March Madness, and the Olympics represent a significant potential risk. As demonstrated, these pirate streaming sites can and do host malware, and even though employees know these sites are likely to be illegitimate in nature, the desire to not miss “the big game” may cause them to access these sites anyway, exposing not only their workstations but their entire organizations to threats.
Recommendations to Protect Your Business
If you are wanting to protect your organization from the threat posed by illegal online streaming, eSentire Threat Intelligence makes the following recommendations.
- Make sporting events available to watch in common rooms, so employees do not need to stream at their desk
- Apply stricter web access guidelines to ensure sites hosting pirated streams are not accessible
- Keep software up-to-date, particularly web browsers and plugins
- While not 100% effective, consider using an adblocker to reduce exposure
