March 19, 2019 • Kathleen Kuczma
Click here to download the complete analysis as a PDF.
This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to shed light on this by determining the top 10 vulnerabilities from 2018. It is imperative that security professionals have insight into those vulnerabilities that impact a company’s technology stack and are included in exploit kits, used to distribute a remote access trojan (RAT), or are currently being used in phishing attacks.
In 2018, we observed more exploits targeting Microsoft products than Adobe ones. Eight out of 10 vulnerabilities exploited via phishing attacks, exploit kits, or RATs targeted Microsoft products, and only one Adobe Flash vulnerability made the top 10, likely due to a combination of better patching and Flash Player’s impending demise in 2020.
Like in past years, the development of new exploit kits has continued to drop amid the shift to more targeted attacks and less availability of zero-day vulnerabilities. Exploit kits in previous years took advantage of Adobe product vulnerabilities, which have continued to dwindle.
Recorded Future continued to expand the breadth of its annual list of top 10 vulnerabilities by adding RATs, in addition to co-occurrence with exploits or phishing attacks, which were added in 2017. Like other years, the goal of this list is to highlight the vulnerabilities most exploited by the criminal underground. While the leak of nation state-related exploits made headlines in 2018, Recorded Future did not see evidence that these exploits were highly used by the criminal underground and thus are not a focus in this analysis.
The list continued to analyze occurrences of vulnerabilities with exploit kits, as done in the past three years’ reports. Since the emergence of exploit kits in 2006, cybercriminals require less coding experience to take advantage of this straightforward crimeware-as-a-service channel.
The inclusion of RATs provides an additional malware category to determine which vulnerabilities were the most frequent in 2018. RATs have been a mainstay for cybercriminals, as they can provide the attacker with complete control over a victim’s computer.
Recorded Future utilized a list of 167 exploit kits as one of the parameters to determine the top referenced and exploited vulnerabilities of 2018. Only five new exploit kits were created in 2018, compared to 10 in 2017.
This year’s report also included RATs when determining the top exploited vulnerabilities. Recorded Future used its repository of 492 RATs. RATs were added in part because of the increase in their usage due to their role as a multipurpose malware.
A few vulnerabilities were not included in the top 10 due to adoption by nation-state actors as opposed to use by the criminal underground: ETERNALBLUE and Spectre/Meltdown. The ETERNALBLUE exploit (which used MS17-010), while often mentioned, was not used by the criminal underground or offered for sale as a part of other exploit kits. Spectre, while noted in a few phishing attacks, was also not heavily used by cybercriminals. One possible reason why is that these exploits are more sophisticated and difficult to use versus typical exploit kits, which were once prolific due to their ease of use. However, as shown by Recorded Future’s previous research on top vulnerabilities, the emergence of new exploit kits continues to decrease.
As this annual list is based off metadata analysis of available information from open, deep, and dark web sources, Recorded Future did not reverse-engineer any malware mentioned in this piece. Instead, the aim of this report is to showcase the most exploited vulnerabilities.
The top exploited vulnerability on the list, CVE-2018-8174, a Microsoft Internet Explorer vulnerability nicknamed “Double Kill,” was included in four exploit kits (RIG, Fallout, KaiXin, and Magnitude). Exploit kits associated with this vulnerability were noted to spread the malware Trickbot through phishing attacks. The Magnitude exploit kit delivered Magniber ransomware, which primarily targeted users in Asia where computer default languages were in Korean, Chinese, or Malay.
CVE-2018-4878 was the second most commonly observed vulnerability and is the only Adobe Flash Player vulnerability on this year’s top 10. Like CVE-2018-8174, this vulnerability was included in multiple exploit kits, most notably the Fallout exploit kit, which was used to distribute GandCrab ransomware. Fallout took its name and URI patterns from the now defunct Nuclear exploit kit, which had been associated with CVE-2015-7645, one of 2016’s top 10 vulnerabilities. In 2018, Fallout was last selling for $300 a week and $1,100 a month, as seen below.
For the first time, a vulnerability has made the top 10 vulnerability list three years in a row — CVE-2016-0189. Why has this vulnerability persisted? For starters, CVE-2016-0189 is not dependent on one version of Internet Explorer (it impacts IE 9 through 11), resulting in a more reliable vulnerability to exploit. Because of this versatility, the vulnerability has been successfully incorporated into a variety of various exploit kits over the years, as many as five in 2018 (Underminer, Magnitude, Grandsoft, KaiXin, and RIG). Additionally, there are no mitigating factors available to prevent CVE-2016-0189 — the only workarounds are restricting access to two common dynamic-linked library files: VBScript.dll and JScript.dll.
Two vulnerabilities were associated with numerous pieces of malware: CVE-2017-11882 and CVE-2017-0199. These vulnerabilities were associated with 10 and eight pieces of malware, respectively. Both were used in Trillium’s Security Multisploit Tool, which included four of the top 10 vulnerabilities. This tool was heavily discussed and advertised on Hack Forums and Nulled Forum, and received positive reviews. CVE-2017-0199 was notably used by Gorgon Group, a threat group operating out of Pakistan which targeted government organizations in the U.K. and United States, among others, through targeted spearphishing attacks.
|Cyber Vulnerability||Malware Count|
|Cyber Vulnerability||Company||Product||Associated Malware||CVSS||Recorded Future Risk Score|
|CVE-2018-8174||Microsoft||Internet Explorer||Fallout Exploit Kit, KaiXin Exploit Kit, LCG Kit Exploit Kit, Magnitude Exploit Kit, RIG Exploit Kit, Trickbot, Underminer Exploit Kit||7.6||89|
|CVE-2018-4878||Adobe||Flash Player||Fallout Exploit Kit, GreenFlash Exploit Kit, Hermes Ransomware, Sundown Exploit Kit, Threadkit Exploit Kit||7.5||89|
|CVE-2017-11882||Microsoft||Office||AgentTesla, Andromeda, BONDUPDATER, HAWKEYE, LCG Kit, Loki, POWRUNNER, QuasarRAT, REMCOS RAT, ThreadKit Exploit Kit||9.3||99|
|CVE-2017-8750||Microsoft||Office||Formbook, Loki, QuasarRAT||7.6||89|
|CVE-2017-0199||Microsoft||Office||DMShell++, njRAT, Pony, QuasarRAT, REMCOS RAT, SHUTTERSPEED, Silent Doc Exploit Kit, Threadkit Exploit Kit||9.3||99|
|CVE-2016-0189||Microsoft||Internet Explorer||Grandsoft Exploit Kit, KaiXin Exploit Kit, Magnitude Exploit Kit, RIG Exploit Kit, Underminer Exploit Kit||7.6||89|
|CVE-2017-8570||Microsoft||Office||Formbook, QuasarRAT, Sisfader RAT, Threadkit Exploit Kit, Trickbot||9.3||99|
|CVE-2018-8373||Microsoft||Internet Explorer||Quasar RAT||7.6||89|
|CVE-2012-0158||Microsoft||Office||Silent Doc Exploit, PlugX||9.3||89|
As observed in prior reports, the development of new exploit kits continued to decrease. Only five new exploit kits emerged in 2018, compared with 10 in 2017, and 62 in 2016. Of those five, two were associated with a top 10 vulnerability: Fallout and LCG Kit. Starting in March, LCG Kit incorporated CVE-2017-11882, but later that year also incorporated 2018’s top vulnerability, CVE 2018-8174. Although LCG Kit has been associated with a number of malicious attachments, including the spreading of RATs such as REMCOS and QuasarRAT, there were no direct references to this exploit kit for sale on the dark web in 2018 using the LCG Kit name. New exploit kits developed in 2018 include:
Among exploit kits associated with the top vulnerabilities, ThreadKit was the most discussed on dark web sources in 2018. ThreadKit incorporated four of the top 10 vulnerabilities (CVE-2018-4878, CVE-2017-11882, CVE-2017-0199, and CVE-2017-8570). ThreadKit’s notoriety increased when the Cobalt Hacking Group (or Cobalt Group) added another stage to the macro exploit by including its signature CobInt trojan. The group typically attacks financial institutions, although the group’s activity has lessened due to the arrests of some of its members.
In 2018, ThreadKit was last updated on December 28 by mrbass, a user on a dark web forum, to include vulnerability CVE-2018-15982 (a more recent Adobe zero-day vulnerability), which continued to be sold for $400, as seen below.
UnderMiner, which exploited two of 2018’s top vulnerabilities — CVE-2016-0189 and CVE-2018-4878 — made a resurgence in the latter part of 2018. Like ThreadKit, UnderMiner took advantage of, and was the first to exploit, the zero-day vulnerability CVE-2018-15982 in late December 2018.
Sisfader is the only RAT that first emerged in 2018 and was associated with a top vulnerability, with its exploit of CVE-2017-8570. The RAT maintains persistence by installing itself as a service when launched from malicious RTF files. According to available sources, there was no evidence of Sisfader for sale.
|RATs||Cyber Vulnerability Count|
QuasarRAT was associated with the most vulnerabilities, including, most notably, those in Trillium’s Security Multisploit Tool. This RAT, which has been active since 2011, continues to show its viability in a variety of attacks, including spearphishing attacks on government organizations.
Official vulnerability databases, and even scanning tools, cannot arm organizations with one key metric: the overlap between the vulnerabilities in the systems you use and the ones that are being actively exploited by threat actors. The goal of this annual list is to provide an account of the most widely adopted vulnerability exploits, in addition to some recommended actions: