Tracking Moving Targets: Exploit Kits and CVEs

December 10, 2014 • Nick Espinoza

One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.

Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.

To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.

Timeline of Exploit Kits in the Last 6 Months

Click image for larger view

By reviewing the results, we quickly identified the most discussed exploit kits: RIG, Sweet Orange, Angler, Fiesta, Magnitude, RedKit, Nuclear, Archie, Infinity, and LightsOut. Other notable exploit kits this year are Astrum, Niteris, Flashack, GongDa, and DoktaChef.

These were gleaned by total count of references in our results, which stemmed from a range of sources such as niche blogs reviewing their targets, social media chatter around the newest exploits leveraged, and websites reverse engineering their code. In aggregate, these signals provide a strong indicator of their use in the wild and the most popular kits.

CVEs Exploited

Armed with the knowledge of the top referenced 10 exploit kits in the threat landscape, a query for the exploit kit and any known vulnerabilities can be crafted.

Sweet Orange Exploit Kit Query

Click image for larger view

Sweet Orange Exploit Kit Table

Click image for larger view

Through our web data set, Recorded Future sought out references to CVEs and these exploit kits. A reference, for example looks like the following from Malware-Traffic-Analysis.net:

RIG Exploit Kit Reference Example

Over the last six months, a range of sources have identified 25 CVEs frequently discussed in recent reporting. While this list of CVE’s is not exhaustive, it provides quick insight into commonly exploited products and attack vectors, as well as unique CVEs only found in a few kits.

CVE Leveraged Exploit Kit
CVE-2013-2551 RIG, Sweet Orange, Angler, Fiesta, Magnitude, Nuclear, Infinity
CVE-2014-0515 RIG, Sweet Orange, Angler, Nuclear, ARC
CVE-2013-0074 RIG, Angler, Fiesta, Nuclear
CVE-2013-2465 Fiesta, Nuclear, Lights Out, Infinity
CVE-2014-0497 Sweet Orange, Angler, Fiesta, ARC
CVE-2014-0322 RIG, Angler, Infinity
CVE-2014-0569 RIG, Sweet Orange, Angler
CVE-2012-0507 RIG, Fiesta
CVE-2013-2471 Magnitude, Nuclear
CVE-2013-3896 Angler, Fiesta
CVE-2013-7331 RIG, Nuclear
CVE-2014-0556 Fiesta, Nuclear
CVE-2014-1776 Angler, Infinity
CVE-2010-0188 Nuclear
CVE-2012-1723 Nuclear
CVE-2013-0634 RIG
CVE-2013-1347 Infinity
CVE-2013-2423 Infinity
CVE-2013-2460 Sweet Orange
CVE-2013-2883 Nuclear
CVE-2014-0502 Infinity
CVE-2014-6332 Sweet Orange
CVE-2014-8440 Angler
CVE-2013-0025 RIG

Reviewing these results, the products targeted by these CVEs are unsurprising:

  • Adobe Flash: CVE-2013-2551, CVE-2014-0515, CVE-2014-0497, etc.
  • Oracle Java: CVE-2013-2465, CVE-2012-0507, CVE-2013-2471
  • Microsoft Silverlight: CVE-2013-0074, CVE-2013-3896, etc.

Many other common programs like Adobe Reader and Microsoft Internet Explorer are affected. However, some exploit kits utilize new and unique attack vectors such as Sweet Orange’s Visual Basic Script exploit (CVE-2014-6332).

These exploit kits overwhelmingly rely on well known and often years old exploits against very common software deployed on most Windows-based computers today. This serves as a reminder for the need for diligent updating and patching, as these exploit kits are only successful when older versions of software are still deployed on a host machine.

Alerting on New Exploits

Within Recorded Future’s intelligence team, we track the newest CVEs leveraged by these exploit kits by deploying a unique query and alert.

We craft a list of all known CVEs exploited by an exploit kit and use that list as an exclusion to our query. This allows us to query for mentions of any previously unknown CVE, and receive an email alert when that occurs.

When an alert triggers, an information security professional can review the alert and then better prioritize the updating and patching of software and services deployed across an enterprise.

Vulnerabilities Linked to Sweet Orange Query

Click image for larger view

Vulnerabilities Linked to Sweet Orange Alert

Click image for larger view