Pierluigi Paganini December 06, 2016

Experts from the firm Recorded Future published a report on the most common vulnerabilities used by threat actors in the exploit kits.

Recorded Future published an interesting report on the most common vulnerabilities used by threat actors in the exploit kits.

The experts observed that Adobe Flash Player and Microsoft products (Internet Explorer, Silverlight, Windows) continue to be privileged targets of threat actors. Hacking campaigns conducted by nation-state actors have dominated the threat landscape in 2016, while crooks used exploit kits to deliver several families of malware, including ransomware and banking trojans.

The experts noticed that hackers have used new exploit kits targeting new vulnerabilities.

The researchers highlighted that the Adobe Flash Player comprised six of the top 10 vulnerabilities triggered by the exploit kits in a period from November 16, 2015 to November 15, 2016.

RecordedFuture analyzed 141 exploit kits, experts noticed that the Internet Explorer flaw tracked as CVE-2016-0189 was the most referenced on security blogs, deep web forum postings and dark web sites.

This vulnerability was widely exploited by hackers behind the CNACOM campaign and its had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

Experts from startup Theori have made a reverse engineering of the MS16-053 that fixed the CVE-2016-0189 flaw and published a PoC exploit for the vulnerability.

The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK and Magnitude, and many other exploit kits such as Angler, RIG, Nuclear, Spartan and Hunter.

The above list of vulnerabilities used by exploit kits also includes the Adobe Flash flaw tracked as CVE-2016-1019, CVE-2016-4117, CVE-2016-1010, and CVE-2015-8651.

The list includes also Microsoft Silverlight flaw tracked as CVE-2016-0034 and Microsoft Windows flaw tracked as CVE-2014-4113

According to Recorded Future after the Angler and Nuclear EKs disappeared from the threat landscape RIG became the most used EK, while the popularity of the Sundown EK rapidly increased.

Let me close with the Key Takeaways published by Recorded Future.

• Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player’s popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
• Vulnerabilities in Microsoft’s Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year’s report carried over to this year’s top 10.
• A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
• Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Exploit Kit’s June 2016 demise. This crimeware can be used for anywhere from $200 a week (RIG) to $1,500 a week (Neutrino).
• Adobe Flash Player’s CVE-2015-7645 has been incorporated into seven exploit kits, the highest penetration level of our analyzed vulnerabilities likely because it was the first zero-day discovered after significant Adobe security changes.
• Identifying frequently exploited vulnerabilities can drive action by vulnerability assessment teams.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking, Top 10 vulnerabilities)