PINDROP BLOG

Flash Bugs Dominate Exploit Kit Landscape

Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year, with a high-profile bug in Flash being found in seven separate kits, new research shows.

Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it’s no surprise that Flash and IE exploits dominated the landscape.

Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it’s deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future’s analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups.

“Adobe Flash Player’s CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter,” the analysis by Recorded Future says.

“CVE-2015-7645 impacts Windows, Mac, and Linux operating systems, which makes it extremely versatile. Per Adobe, it can be used to take control of the affected system. Additionally, it was the first zero-day exploit discovered after Adobe introduced new security mitigations, and as such, it was quickly adopted as many other older exploits ceased working on machines with newer Flash versions. The vulnerability was also noted as being used by Pawn Storm (APT28, Fancy Bear), a Russian government-backed espionage group.”

The popularity of individual exploit kits waxes and wanes over time and is affected by a number of factors, including price, detection rates, and the freshness of exploits. Angler has been one of the more popular kits for several years, but several of the people allegedly involved in the kit’s development and use were arrested in Russia this summer. The new kingpin is Sundown, which is known mainly for installing banking Trojans on compromised machines.

“According to our analysis, Sundown was first noticed in April 2015, and was primarily noted for copying other kits and absorbing their vulnerabilities and methods. The developers made a mark with the kit in 2015 by being one of the first to integrate an Internet Explorer bug (CVE-2015-2444), which was used to target Japanese banking customers. Another differentiator for the malware is how it focuses on dropping banking trojans, unlike some of the other kits we have seen which drop everything from ransomware to remote access tools. Sundown also leveraged domain shadowing on a significantly wider scale than competitors,” the analysis says.

Image: Midiman, CC By license.