Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
Click image for larger view
By reviewing the results, we quickly identified the most discussed exploit kits: RIG, Sweet Orange, Angler, Fiesta, Magnitude, RedKit, Nuclear, Archie, Infinity, and LightsOut. Other notable exploit kits this year are Astrum, Niteris, Flashack, GongDa, and DoktaChef.
These were gleaned by total count of references in our results, which stemmed from a range of sources such as niche blogs reviewing their targets, social media chatter around the newest exploits leveraged, and websites reverse engineering their code. In aggregate, these signals provide a strong indicator of their use in the wild and the most popular kits.
CVEs Exploited
Armed with the knowledge of the top referenced 10 exploit kits in the threat landscape, a query for the exploit kit and any known vulnerabilities can be crafted.
Click image for larger view
Click image for larger view
Through our web data set, Recorded Future sought out references to CVEs and these exploit kits. A reference, for example looks like the following from Malware-Traffic-Analysis.net:
Over the last six months, a range of sources have identified 25 CVEs frequently discussed in recent reporting. While this list of CVE’s is not exhaustive, it provides quick insight into commonly exploited products and attack vectors, as well as unique CVEs only found in a few kits.
| CVE Leveraged | Exploit Kit |
|---|---|
| CVE-2013-2551 | RIG, Sweet Orange, Angler, Fiesta, Magnitude, Nuclear, Infinity |
| CVE-2014-0515 | RIG, Sweet Orange, Angler, Nuclear, ARC |
| CVE-2013-0074 | RIG, Angler, Fiesta, Nuclear |
| CVE-2013-2465 | Fiesta, Nuclear, Lights Out, Infinity |
| CVE-2014-0497 | Sweet Orange, Angler, Fiesta, ARC |
| CVE-2014-0322 | RIG, Angler, Infinity |
| CVE-2014-0569 | RIG, Sweet Orange, Angler |
| CVE-2012-0507 | RIG, Fiesta |
| CVE-2013-2471 | Magnitude, Nuclear |
| CVE-2013-3896 | Angler, Fiesta |
| CVE-2013-7331 | RIG, Nuclear |
| CVE-2014-0556 | Fiesta, Nuclear |
| CVE-2014-1776 | Angler, Infinity |
| CVE-2010-0188 | Nuclear |
| CVE-2012-1723 | Nuclear |
| CVE-2013-0634 | RIG |
| CVE-2013-1347 | Infinity |
| CVE-2013-2423 | Infinity |
| CVE-2013-2460 | Sweet Orange |
| CVE-2013-2883 | Nuclear |
| CVE-2014-0502 | Infinity |
| CVE-2014-6332 | Sweet Orange |
| CVE-2014-8440 | Angler |
| CVE-2013-0025 | RIG |
Reviewing these results, the products targeted by these CVEs are unsurprising:
Adobe Flash: CVE-2013-2551, CVE-2014-0515, CVE-2014-0497, etc.
Oracle Java: CVE-2013-2465, CVE-2012-0507, CVE-2013-2471
Microsoft Silverlight: CVE-2013-0074, CVE-2013-3896, etc.
Many other common programs like Adobe Reader and Microsoft Internet Explorer are affected. However, some exploit kits utilize new and unique attack vectors such as Sweet Orange’s Visual Basic Script exploit (CVE-2014-6332).
These exploit kits overwhelmingly rely on well known and often years old exploits against very common software deployed on most Windows-based computers today. This serves as a reminder for the need for diligent updating and patching, as these exploit kits are only successful when older versions of software are still deployed on a host machine.
Alerting on New Exploits
Within Recorded Future’s intelligence team, we track the newest CVEs leveraged by these exploit kits by deploying a unique query and alert.
We craft a list of all known CVEs exploited by an exploit kit and use that list as an exclusion to our query. This allows us to query for mentions of any previously unknown CVE, and receive an email alert when that occurs.
When an alert triggers, an information security professional can review the alert and then better prioritize the updating and patching of software and services deployed across an enterprise.
Click image for larger view
Click image for larger view
Related