Law enforcement actions and a relative dearth of zero-day bugs appear to have contributed to a sharp decline in exploit kit activity in recent months.
It's too soon, however, to say whether the decline represents a permanent or temporary shift away from the use of exploit kits to drop malicious payloads.
A recent report from Trend Micro showed that attacks involving exploit kits fell from 27 million in 2015 to a mere 8.8 million in 2016. The decline was especially noticeable in the second half of last year when attacks against Trend Micro customers involving the use of the notorious Angler exploit kit dropped to near zero from 3.4 million separate attacks in the first quarter of 2016.
Much of the sudden decline in exploit kit activity, according to Trend Micro, appears related to last year's arrest of 50 individuals in Russia believed associated with the Angler exploit kit. The arrests resulted in an almost immediate and significant drop off in exploit kit activity. To put that in perspective, Angler in 2015 accounted for more than 57% of all recorded incidents involving exploit kits.
In addition, Neutrino and Nuclear, two other popular exploit kits also stopped being actively used in 2016. While it is not clear what prompted their demise, it is likely that a lack of zero-day vulnerabilities played a part. There were a lesser number of zero-day vulnerabilities in 2016 compared to previous years making exploit kits less lethal than usual.
"The shelf life of exploitable vulnerabilities and zero-days is decreasing rapidly," says Patrick Wheeler, director of threat intelligence at Proofpoint another vendor that has reported a sharp decline in exploit kit activity recently. Total exploit kit activity declined a massive 93% between January and September last year, according to Proofpoint
Angler itself has been replaced by another exploit kit dubbed RIG. But overall attack traffic volume associated with exploit kits is nowhere near their highs of 2015.
"Essentially, software developers, security vendors, and organizations are patching vulnerabilities so rapidly now that exploit kits are simply much less effective than they used to be," he says. This has made it hard for threat actors to achieve reasonable returns on their investments in exploit kits.
"Malicious email volumes have increased dramatically while mobile attack kits and [exploit kits] for IoT devices and routers have all emerged to fill the void," he says.
Enterprises should not be lulled into a sense of false security by the drop off in exploit kit activity, says Jon Clay, director of global threat communications at Trend Micro. The decline does not necessarily mean exploit kits will not continue to be used in attacks, he says.
Vulnerable systems are still a viable way to compromise a system and gain a foothold into an organization. Enterprises should not use the trend as an excuse not to do proper patching, he says.
"We have started to see private exploit kits being developed and used by cyber gangs," with the resources to develop such kits on their own, he says. The operators of Lurk and Pawn Storm espionage campaigns are two examples of threat groups that have used their own exploit kits to attack targets, he says.
"So we could be seeing a trend where exploit kits go private versus public," he cautions.
Michael Marriott, a research analyst at Digital Shadows, says there's been a great deal of change in the exploit kit landscape over the past year. But it would be a mistake to overestimate the impact of the demise of Angler and Nuclear exploit kit activity.
He points to the recent public release of source code for an exploit kit dubbed Sundown as one example of the continued threat actor interest in exploit kits. "Following the release of this source code, it’s likely we will see more exploit kits being sold across criminal forums," he says.
"By understanding the most popular exploit kits, as well as the vulnerabilities they most commonly exploit and their favored attack vectors, organizations can learn which vulnerabilities to patch as a priority," Marriott says.
- Researchers Disrupt Angler Exploit Kit, Ransomware Operation
- Angler Climbing To Top Of Exploit Heap
- State Of The Exploit Kit
- Executable Files, Old Exploit Kits Top Most Effective Attack Methods