exploit kit
An exploit kit or exploit pack is a type of toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash®, Java®, Microsoft Silverlight®.
A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.
Stages of an exploit kit infection
Step 1: Contact
The attacker often use spammed email and social engineering lures to make people click the link of an exploit kit server. In another form, a user clicks on a malicious advertisement (malvertisement) found in a legitimate website.
Step 2: Redirect
The exploit kit generator screens for its target and then filters out victims who don’t meet certain requirements. For example, an exploit kit operator can target a specific country by filtering client IP address by geolocation.
Step 3: Exploit
The victims are then directed into the exploit kit’s landing page. The landing page determines which vulnerabilities should be used in the ensuing attack.
Step 4: Infect
After successfully exploiting a vulnerability, the attacker can now download and execute malware in the victim’s environment.
Recent attacks related to exploit kits
EXPLOIT KIT |
2014 |
2015 |
2016 |
Angler |
|
||
BlackHole |
|
||
Fiesta |
|
||
FlashPack |
|
||
HanJuan |
|
||
Hunter |
Delivered Locky ransomware |
||
Magnitude |
Linked to malicious ads on Yahoo sites |
|
Delivered Cerber ransomware |
Neutrino |
|
Delivered Cerber, CryptXXX ransomware |
|
Nuclear |
|
||
Rig |
Delivered CryptoWall, TeslaCrypt ransomware |
|
|
Sundown |
Delivered card-scraping Kasidet worm |
|
|
Sweet Orange |
Included in a malicious YouTube ad campaign |
Vulnerabilities mostly exploited by exploit kits
Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched. We tallied all the vulnerabilities that were commonly exploited from 2010 to the first half of 2016 and found that cybercriminals often exploit the following :
Affected software: Microsoft Internet Explorer® 6 through 10
Description: This use-after-free vulnerability allows remote attackers to execute arbitrary code via a crafted website that triggers access to a deleted object.
Related attacks: Banking Trojan attack on South Korean banks, Malicious YouTube ads,
Affected software: Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows® and through 11.2.202.438 on Linux
Description: This is an Adobe Flash Player buffer overflow vulnerability that allows remote attackers to execute arbitrary code via unknown vectors.
Related attacks: Malvertising attacks, BEDEP malware attacks
Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux
Description: This is an Adobe Flash Player memory corruption vulnerability that allows an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Related attacks: Attack on compromised US-based ad network
Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux
Description: This is an Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object. It allows attackers to run some processes and run an arbitrary shellcode.
Related attacks: Malicious YouTube ads
Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux
Description: This is an Adobe Flash Player remote integer overflow vulnerability that allows attackers to execute arbitrary code via unspecified vectors.
History of Exploit Kits
How to protect your organization from exploit kits
- Promptly patch all endpoints in the system to block known threats that are integrated into exploit kits.
- Deploy a solution with vulnerability protection technology to proactively shield your systems from unknown vulnerabilities based on network protocol deviations and other suspicious attack routines.
Update browsers and plugins to the latest version and use browser exploit prevention technology that can protect zero-day vulnerabilities and block malware that may try to come in via your browser.
Related terms: Exploit, zero-day exploit, cookies, hacking, vulnerability, virtual patching, SQL injection, cross-side scripting, Internet of Things
Related papers/primers :
Monitoring Vulnerabilities: Are your Servers Exploit-Proof?
Virtual Patching in Mixed Environments: How It Works To Protect You
Related infographics:
Shellshock Vulnerability: The Basics of the “Bash Bug”
Stop threats dead in their tracks/Blackhole Exploit Kit
Dodging a Compromise: A Peek at Exposure Gaps
The Internet of Everything: Layers, Protocols and Possible Attacks
Graphics: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdf