Experts warn Neutrino and RIG exploit kit activity spike

Security experts at Heimdal Security are warning a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit.

Cyber criminals always exploit new opportunities and users’ bad habits, now crooks behind the recent campaigns relying on Neutrino and RIG exploit kits are ramping up attacks against users that haven’s patched their Adobe Flash software.

“It seems that cyber criminals are well rested and have also gotten back to the “office”, because out team has spotted a substantial increase in exploit kit activity for Neutrino, RIG and Angler.” states a blog post published by the Heimdal Security firm.

In August, according to Zscaler security firm, cybercriminals compromised more than 2,600 WordPress websites and deployed malicious iframes on 4,200 distinct pages. The criminals exploited vulnerable versions of WordPress 4.2, and prior, to plant the iframes which were used to redirect users to domains hosting the Neutrino exploit kit.

The Neutrino landing page was designed to exploit Flash Player vulnerabilities in order to serve the last variant of the popular ransomware CryptoWall 3.0. Also in this case, the variant of the Neutrino exploit kit leveraged in the attack includes the Flash Player exploits leaked in the Hacking Team breach.

The attackers are exploiting the remote code execution flaw in Adobe Flash to serve ransomware.

According to the researchers at Trustwave, in the same period, the researchers at Trustwave revealed that the developer behind the RIG exploit kit released a 3.0 version of the RIG exploit kit which includes some significant improvements to avoid the analysis of the source code.

Now Neutrino is used by crooks in the wild to spread the Cryptolocker 2 ransomware and variants of the Kovter malware family exploiting the Flash (CVE-2015-7645) that remained unpatched after Adobe released a critical patch in October.

“This new campaign also comes with added surreptitious tricks: Google Blackhat SEO poisoning and an immediate focus on using Flash Player vulnerabilities as a distribution vector.”  continues the Heimdal Security firm.

The researchers discovered that the new variant of the Neutrino exploit kit has the ability to determine if user’s browser and Flash player installation are vulnerable, it is also able to evade security software detection.

The campaign relying RIG exploit kit spread through drive-by attacks by using Google Blackhat SEO poisoning. The RIG 3.0 is continuously improved by including the code for the exploitation of known vulnerabilities in popular third-party applications like Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight to infect outdated Windows machines.

This RIG-serving campaign spread through drive-by attacks by using Google Blackhat SEO poisoning.

“From our data, derived from having access to RIG exploit kit version 3 panels, we have observed that this payload achieves an infection success rate of 56% on Windows 7 PCs with Internet Explorer 9. The security issues lie particularly with Adobe Flash Player and, respectively, with vulnerabilities to RIG exploit kit version 3 panels, we have observed that this payload achieves an infection success rate of 56% on Windows 7 PCs with Internet Explorer 9. The security issues lie particularly with Adobe Flash Player and, respectively, with vulnerabilities CVE-2015-5119(CVSS Score: 10) and CVE-2015-5122 (CVSS Score: 10), which are wreaking havoc among Windows-based PCs.” continues Heimdal Security.

When it comes to this kind of criminal campaigns, most popular exploit kits focus their capabilities to compromise outdated Adobe Flash Player installations to compromise the user’s machine.

Experts at Heimdal Security recommend to immediately update Flash Player installations and always keep all software up to date.

“According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85% of all targeted attacks can be prevented by applying a security patch.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Neutrino Exploit Kit, cybercrime)