Exploit Kit
An exploit kit or exploit pack is a type of toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash®, Java®, Microsoft Silverlight®.
A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.
Stages of an exploit kit infection
Step 1: Contact
The attacker often use spammed email and social engineering lures to make people click the link of an exploit kit server. In another form, a user clicks on a malicious advertisement (malvertisement) found in a legitimate website.
Step 2: Redirect
The exploit kit generator screens for its target and then filters out victims who don’t meet certain requirements. For example, an exploit kit operator can target a specific country by filtering client IP address by geolocation.
Step 3: Exploit
The victims are then directed into the exploit kit’s landing page. The landing page determines which vulnerabilities should be used in the ensuing attack.
Step 4: Infect
After successfully exploiting a vulnerability, the attacker can now download and execute malware in the victim’s environment.
Recent attacks related to exploit kits
EXPLOIT KIT | 2014 | 2015 | 2016 |
Angler |
| ||
BlackHole |
| ||
Fiesta |
| ||
FlashPack |
| ||
HanJuan |
| ||
Hunter | Delivered Locky ransomware | ||
Magnitude | Linked to malicious ads on Yahoo sites |
| Delivered Cerber ransomware |
Neutrino |
| Delivered Cerber, CryptXXX ransomware | |
Nuclear |
| ||
Rig | Delivered CryptoWall, TeslaCrypt ransomware |
| |
Sundown | Delivered card-scraping Kasidet worm |
| |
Sweet Orange | Included in a malicious YouTube ad campaign |
Vulnerabilities mostly exploited by exploit kits
Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched. We tallied all the vulnerabilities that were commonly exploited from 2010 to the first half of 2016 and found that cybercriminals often exploit the following :
Affected software: Microsoft Internet Explorer® 6 through 10
Description: This use-after-free vulnerability allows remote attackers to execute arbitrary code via a crafted website that triggers access to a deleted object.
Related attacks: Banking Trojan attack on South Korean banks, Malicious YouTube ads,
Affected software: Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows® and through 11.2.202.438 on Linux
Description: This is an Adobe Flash Player buffer overflow vulnerability that allows remote attackers to execute arbitrary code via unknown vectors.
Related attacks: Malvertising attacks, BEDEP malware attacks
Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux
Description: This is an Adobe Flash Player memory corruption vulnerability that allows an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Related attacks: Attack on compromised US-based ad network
Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux
Description: This is an Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object. It allows attackers to run some processes and run an arbitrary shellcode.
Related attacks: Malicious YouTube ads
Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux
Description: This is an Adobe Flash Player remote integer overflow vulnerability that allows attackers to execute arbitrary code via unspecified vectors.
History of Exploit Kits
YEAR | INCIDENT |
2006 | |
2007 | NeoSploit, Phoenix, Tornado, and Armitage exploit kits emerged |
2008 | |
Mar 2010 | Malicious ads lead to the Liberty exploit kit |
Aug 2010 | The first version of the Blackhole exploit kit (BHEK) was released |
Sep 2012 | Blackhole 2.0 was released in the wild |
Jan 2013 | Cool and BHEK distribute REVETON and other ransomware variants |
Feb 2013 | Whitehole exploit kit emerged (sold at US$200 to US$1800) |
Mar 2013 | Neutrino exploit kit emerged underground (rented at US$40/day or US$450/month) |
Apr 2013 | BHEK linked to large-scale brute force attack on Wordpress blogs |
Oct 2013 | Paunch, the creator of the BHEK, was arrested by Russian law enforcement |
Oct 2013 | Bleeding life exploit kit used in Apollo banking Trojan campaign |
Jan 2014 | Malicious Yahoo website ads led to Magnitude exploit kit |
Jun 2014 | Zeus P2P variant, Gameover, led to BHEK sites |
June 2014 | Compromised Japanese sites led to Angler exploit kit and VAWTRAK |
Sep 2014 | Nuclear exploit kit expands attack surface with Silverlight® |
Oct 2014 | YouTube Ads lead to Sundown exploit kit |
April 2015 | Fiesta exploit kit spread crypto-ransomware |
Jul 2015 | HackingTeam Flash zero-day flaws were integrated Into Angler and Nuclear exploit Kits |
Jul 2015 | The Angler exploit kit was used to find and infect PoS systems |
Sep 2015 | Massive malvertising campaign using Angler exploit hit 3,000 high-profile Japanese sites |
Sep 2015 | Angler and Nuclear exploit kit abuse Diffie-Hellman key exchange to hide traffic |
Mar 2016 | Massive malvertising campaign in US led to Angler exploit kit |
Apr 2016 | BHEK creator Paunch was sentenced to seven years in a Russian prison |
Jun 2016 | Angler exploit kit ceased operations after malware-related arrest |
How to protect your organization from exploit kits
- Promptly patch all endpoints in the system to block known threats that are integrated into exploit kits.
- Deploy a solution with vulnerability protection technology to proactively shield your systems from unknown vulnerabilities based on network protocol deviations and other suspicious attack routines.
Update browsers and plugins to the latest version and use browser exploit prevention technology that can protect zero-day vulnerabilities and block malware that may try to come in via your browser.
Related terms: Exploit, zero-day exploit, cookies, hacking, vulnerability, virtual patching, SQL injection, cross-side scripting, Internet of Things
Related papers/primers :
Monitoring Vulnerabilities: Are your Servers Exploit-Proof?
Virtual Patching in Mixed Environments: How It Works To Protect You
Related infographics:
Shellshock Vulnerability: The Basics of the “Bash Bug”
Stop threats dead in their tracks/Blackhole Exploit Kit
Dodging a Compromise: A Peek at Exposure Gaps
The Internet of Everything: Layers, Protocols and Possible Attacks
Graphics: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdf