Experts published IE Exploit code and crooks added it to Neutrino EK

Operators behind the Neutrino EK have added the code to exploit an Internet Explorer flaw that  was recently patched with the release of the MS16-053.

Operators behind the infamous Neutrino EK have recently added the code to exploit an Internet Explorer vulnerability that was patched with the release of the MS16-053 security bulletin.

The MS16-053 bulletin patched two remote code execution vulnerabilities in the JScript (CVE-2016-0187) and VBScript (CVE-2016-0189) scripting engines

The security vulnerabilities can be exploited through the Internet Explorer web browser, unfortunately, the CVE-2016-0189 had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

In order to trigger the vulnerability, victims have to visit a compromised website or open a spear-phishing email containing a malicious link.

Experts from startup Theori have made a reverse engineering of the MS16-053 and published a PoC exploit for the CVE-2016-0189 vulnerability.

Neutrino EK PoCNeutrino EK PoC

The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK as confirmed by FireEye.

Researchers from FireEye noticed that last version of the Neutrino EK included exploits for a total of five vulnerabilities, three Flash Player flaws (CVE-2016-1019, CVE-2016-4117 and CVE-2015-8651) and two Internet Explorer (CVE-2014-6332 and CVE-2016-0189).

“CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.” states FireEye. “In this example, Neutrino embedded exploits for five patched vulnerabilities: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.”

The experts compared the code used in the Neutrino EK and the one released by the researchers. Researchers from FireEye speculate that crooks might be able to adapt the exploit for older versions of the operating system as well.

In January, experts from Heimdal Security warned a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit, the crimeware kits have become the most popular exploit kits after Angler and Nuclear disappeared.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Neutrino EK, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Trend Micro fixed multiple vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer…

3 hours ago

Paragon Graphite Spyware used a zero-day exploit to hack at least two journalists’ iPhones<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Security researchers at Citizen Lab revealed that Paragon's Graphite spyware can hack fully updated iPhones…

14 hours ago

SinoTrack GPS device flaws allow remote vehicle control and location tracking

Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by…

22 hours ago

U.S. CISA adds Wazuh, and WebDAV flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Wazuh, and WebDAV flaws to its Known…

1 day ago

Exposed eyes: 40,000 security cameras vulnerable to remote hacking

Over 40,000 internet-exposed security cameras worldwide are vulnerable to remote hacking, posing serious privacy and…

1 day ago

Operation Secure: INTERPOL dismantles 20,000+ malicious IPs in major cybercrime crackdown

INTERPOL announced that a joint operation code-named Operation Secure took down 20,000+ malicious IPs/domains tied…

2 days ago