New Kit, Same Player: Top 10 Vulnerabilities Used by Exploit Kits in 2016

December 6, 2016 • RFSID

Key Takeaways

  • Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player’s popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
  • Vulnerabilities in Microsoft’s Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year’s report carried over to this year’s top 10.
  • A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
  • Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Exploit Kit’s June 2016 demise. This crimeware can be used for anywhere from $200 a week (RIG) to $1,500 a week (Neutrino).
  • Adobe Flash Player’s CVE-2015-7645 has been incorporated into seven exploit kits, the highest penetration level of our analyzed vulnerabilities likely because it was the first zero-day discovered after significant Adobe security changes.
  • Identifying frequently exploited vulnerabilities can drive action by vulnerability assessment teams.

According to updated Recorded Future analysis, Adobe (Flash Player) and Microsoft products (Internet Explorer, Silverlight, Windows) continue to provide the primary avenue of access for criminal exploit kits. While nation-state targeting of political efforts has dominated information security headlines in 2016, criminals continue to deliver ransomware and banking trojans using new exploit kits targeting new vulnerabilities.

As a follow-up to last year’s ranking of vulnerabilities targeted by exploit kits, Recorded Future conducted updated analysis of over 141 exploit kits (EKs) and known vulnerabilities.

Covering the period of November 16, 2015 to November 15, 2016, Adobe Flash Player comprised six of the top 10 vulnerabilities leveraged by exploit kits.

Vulnerabilities in Microsoft’s Internet Explorer (IE), Silverlight, and Windows rounded out the top 10. Notably, a 2016 IE vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, including Sundown EK which quickly adopted an exploit for it in July 2016.

None of the vulnerabilities identified in last year’s report remained in this year’s top 10.

Reference vs. Cyber Vulnerability

Background

Exploit kits offer an expedited crimeware-as-a-service (CaaS) channel where users pay per install of their malware. Since the emergence of modern exploit kits in 2006, criminals need less and less programming experience, as they only need to provide the payload (such as CrypMIC ransomware or TrickBot banking trojan). The payload is then spread via the exploit kit through compromised sites or malicious third-party advertising (malvertising). The teams behind these exploit kits continue to add fresh exploits for software as increased effectiveness in delivering the “customer’s” payload will generate more revenue.

Exploit kit victims load the compromised web page, malvertisement, or unwittingly follow a malicious link to the exploit kit’s landing page. Per Sophos, “the landing page is the starting point for the exploit kit code.” Using a mix of HTML and JavaScript, the EK identifies the visitor’s browser and plugins, providing the kit the information necessary to deploy the exploit most likely to result in a drive-by download.

In some cases, exploit kits can be rented on a weekly or monthly basis. For example, Nucleus was available at $800 a week or $2,000 a month. The lower-quality RIG exploit kit costs significantly less: $50 a day, $200 week, or $700 a month. While still available, Neutrino was the most expensive: $1,500 a week or $4,000 a month.

Understanding what vulnerabilities are targeted by exploit kits can better inform vulnerability risk assessment functions within organizations.

Methodology

Recorded Future analyzed thousands of sources including information security blogs, deep web forum postings, and dark web onion sites. Analysis focused on exploit kit and vulnerability discussion from November 16, 2015 to November 15, 2016, roughly one year since our 2015 report.

As part of this research, Recorded Future utilized a list of 141 exploit kits, an increase over the 108 analyzed last year. Top EK exploited vulnerabilities were ranked by the number of web references linking them to an exploit kit.

Recorded Future did not reverse engineer any malware mentioned in this analysis and instead performed a meta-analysis of available information from the web. Exploits for dozens of other vulnerabilities are currently employed by EKs and this report’s intent is to highlight top targets of popular exploit kits.

Vulnerability Adoption by Exploit Kits

Based on feedback from our 2015 vulnerability ranking, Recorded Future further evaluated individual vulnerability adoption by exploit kits.

Vulnerability Adoption by Exploit Kit

Vulnerability Adoption by Exploit Kit

Adobe Flash Player’s CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter.

CVE-2015-7645 impacts Windows, Mac, and Linux operating systems, which makes it extremely versatile. Per Adobe, it can be used to take control of the affected system. Additionally, it was the first zero-day exploit discovered after Adobe introduced new security mitigations, and as such, it was quickly adopted as many other older exploits ceased working on machines with newer Flash versions. The vulnerability was also noted as being used by Pawn Storm (APT28, Fancy Bear), a Russian government-backed espionage group.

Intel Card for CVE-2015-7645

Vulnerability Intel Card for CVE-2015-7645.

While the vulnerability was patched by Adobe fairly quickly, it’s ease of exploitation and the breadth of operating systems affected have kept it active.

Unfortunately, slow enterprise patching and lack of knowledge by home users mean the vulnerability still manages to help kits infect machines.

Sundown Exploit Kit in Focus

The Sundown exploit kit is a rising star in the crimeware world. With the demise of several of last year’s leaders, the Sundown EK has seen significant adoption among criminal elements. Sundown maintainers have been very quick to add new exploits to the kit to differentiate it from other choices, such as the RIG exploit kit.

Last year, Recorded Future wrote on the Angler exploit kit. Usage of that kit virtually died after several arrests in Russia earlier in the year.

Researchers exposed much of the infrastructure behind Nuclear, and Neutrino operators pulled their kit off the public market, leaving a void for the RIG and Sundown exploit kits to fill. Although RIG is still the market leader, Sundown is rising in popularity.

According to our analysis, Sundown was first noticed in April 2015, and was primarily noted for copying other kits and absorbing their vulnerabilities and methods. The developers made a mark with the kit in 2015 by being one of the first to integrate an Internet Explorer bug (CVE-2015-2444), which was used to target Japanese banking customers. Another differentiator for the malware is how it focuses on dropping banking trojans, unlike some of the other kits we have seen which drop everything from ransomware to remote access tools. Sundown also leveraged domain shadowing on a significantly wider scale than competitors.

Most Referenced Exploit Kits Over the Past Year

Timeline showing the most referenced exploit kits over the past year.

Impact

Last year, the primary risk of contracting a nasty exploit kit was through Adobe product bugs, and Flash in particular. Unfortunately, the situation has not significantly improved.

The recommendation was to update Adobe Flash, and this year that recommendation still stands. For those who want to know exactly how this can be done, or who want to uninstall Flash completely, Graham Cluley has written an excellent walkthrough on doing just that.

For other users who simply want things to work, it should also be noted the Google Chrome team bundles the most recent Flash version with the browser, which should keep them a little more secure. Even better, Chrome now defaults to HTML5 for content that supports it instead of loading the content with Flash.

For additional peace of mind, users of most modern browsers can turn on “Click to Load” features which automatically block Flash elements unless the user specifically clicks on them.

Conclusion

  • Patch all vulnerabilities identified in this post.
  • Remove the affected software if it doesn’t impact key business processes.
  • Enable “click to play” for Adobe Flash Player.
  • Consider Chrome due to Google Project Zero’s attention to Flash Player vulnerabilities.
  • Utilize browser ad-blockers to prevent exploitation via malvertising.
  • Frequently backup systems, particularly of shared files which are regular ransomware targets.