Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/23/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Exploit Kit-Based Attacks Decline Dramatically

But it's too soon to call this downward trend a permanent shift, experts say.

Law enforcement actions and a relative dearth of zero-day bugs appear to have contributed to a sharp decline in exploit kit activity in recent months.

It's too soon, however, to say whether the decline represents a permanent or temporary shift away from the use of exploit kits to drop malicious payloads.

A recent report from Trend Micro showed that attacks involving exploit kits fell from 27 million in 2015 to a mere 8.8 million in 2016. The decline was especially noticeable in the second half of last year when attacks against Trend Micro customers involving the use of the notorious Angler exploit kit dropped to near zero from 3.4 million separate attacks in the first quarter of 2016.

Much of the sudden decline in exploit kit activity, according to Trend Micro, appears related to last year's arrest of 50 individuals in Russia believed associated with the Angler exploit kit. The arrests resulted in an almost immediate and significant drop off in exploit kit activity. To put that in perspective, Angler in 2015 accounted for more than 57% of all recorded incidents involving exploit kits.

In addition, Neutrino and Nuclear, two other popular exploit kits also stopped being actively used in 2016. While it is not clear what prompted their demise, it is likely that a lack of zero-day vulnerabilities played a part. There were a lesser number of zero-day vulnerabilities in 2016 compared to previous years making exploit kits less lethal than usual.

"The shelf life of exploitable vulnerabilities and zero-days is decreasing rapidly," says Patrick Wheeler, director of threat intelligence at Proofpoint another vendor that has reported a sharp decline in exploit kit activity recently. Total exploit kit activity declined a massive 93% between January and September last year, according to Proofpoint

Angler itself has been replaced by another exploit kit dubbed RIG. But overall attack traffic volume associated with exploit kits is nowhere near their highs of 2015.

"Essentially, software developers, security vendors, and organizations are patching vulnerabilities so rapidly now that exploit kits are simply much less effective than they used to be," he says. This has made it hard for threat actors to achieve reasonable returns on their investments in exploit kits.

"Malicious email volumes have increased dramatically while mobile attack kits and [exploit kits] for IoT devices and routers have all emerged to fill the void," he says.

Enterprises should not be lulled into a sense of false security by the drop off in exploit kit activity, says Jon Clay, director of global threat communications at Trend Micro. The decline does not necessarily mean exploit kits will not continue to be used in attacks, he says.

Vulnerable systems are still a viable way to compromise a system and gain a foothold into an organization. Enterprises should not use the trend as an excuse not to do proper patching, he says.

"We have started to see private exploit kits being developed and used by cyber gangs," with the resources to develop such kits on their own, he says. The operators of Lurk and Pawn Storm espionage campaigns are two examples of threat groups that have used their own exploit kits to attack targets, he says.

"So we could be seeing a trend where exploit kits go private versus public," he cautions.

Michael Marriott, a research analyst at Digital Shadows, says there's been a great deal of change in the exploit kit landscape over the past year. But it would be a mistake to overestimate the impact of the demise of Angler and Nuclear exploit kit activity.

He points to the recent public release of source code for an exploit kit dubbed Sundown as one example of the continued threat actor interest in exploit kits. "Following the release of this source code, it’s likely we will see more exploit kits being sold across criminal forums," he says.

"By understanding the most popular exploit kits, as well as the vulnerabilities they most commonly exploit and their favored attack vectors, organizations can learn which vulnerabilities to patch as a priority," Marriott says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...