Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/23/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Exploit Kit-Based Attacks Decline Dramatically

But it's too soon to call this downward trend a permanent shift, experts say.

Law enforcement actions and a relative dearth of zero-day bugs appear to have contributed to a sharp decline in exploit kit activity in recent months.

It's too soon, however, to say whether the decline represents a permanent or temporary shift away from the use of exploit kits to drop malicious payloads.

A recent report from Trend Micro showed that attacks involving exploit kits fell from 27 million in 2015 to a mere 8.8 million in 2016. The decline was especially noticeable in the second half of last year when attacks against Trend Micro customers involving the use of the notorious Angler exploit kit dropped to near zero from 3.4 million separate attacks in the first quarter of 2016.

Much of the sudden decline in exploit kit activity, according to Trend Micro, appears related to last year's arrest of 50 individuals in Russia believed associated with the Angler exploit kit. The arrests resulted in an almost immediate and significant drop off in exploit kit activity. To put that in perspective, Angler in 2015 accounted for more than 57% of all recorded incidents involving exploit kits.

In addition, Neutrino and Nuclear, two other popular exploit kits also stopped being actively used in 2016. While it is not clear what prompted their demise, it is likely that a lack of zero-day vulnerabilities played a part. There were a lesser number of zero-day vulnerabilities in 2016 compared to previous years making exploit kits less lethal than usual.

"The shelf life of exploitable vulnerabilities and zero-days is decreasing rapidly," says Patrick Wheeler, director of threat intelligence at Proofpoint another vendor that has reported a sharp decline in exploit kit activity recently. Total exploit kit activity declined a massive 93% between January and September last year, according to Proofpoint

Angler itself has been replaced by another exploit kit dubbed RIG. But overall attack traffic volume associated with exploit kits is nowhere near their highs of 2015.

"Essentially, software developers, security vendors, and organizations are patching vulnerabilities so rapidly now that exploit kits are simply much less effective than they used to be," he says. This has made it hard for threat actors to achieve reasonable returns on their investments in exploit kits.

"Malicious email volumes have increased dramatically while mobile attack kits and [exploit kits] for IoT devices and routers have all emerged to fill the void," he says.

Enterprises should not be lulled into a sense of false security by the drop off in exploit kit activity, says Jon Clay, director of global threat communications at Trend Micro. The decline does not necessarily mean exploit kits will not continue to be used in attacks, he says.

Vulnerable systems are still a viable way to compromise a system and gain a foothold into an organization. Enterprises should not use the trend as an excuse not to do proper patching, he says.

"We have started to see private exploit kits being developed and used by cyber gangs," with the resources to develop such kits on their own, he says. The operators of Lurk and Pawn Storm espionage campaigns are two examples of threat groups that have used their own exploit kits to attack targets, he says.

"So we could be seeing a trend where exploit kits go private versus public," he cautions.

Michael Marriott, a research analyst at Digital Shadows, says there's been a great deal of change in the exploit kit landscape over the past year. But it would be a mistake to overestimate the impact of the demise of Angler and Nuclear exploit kit activity.

He points to the recent public release of source code for an exploit kit dubbed Sundown as one example of the continued threat actor interest in exploit kits. "Following the release of this source code, it’s likely we will see more exploit kits being sold across criminal forums," he says.

"By understanding the most popular exploit kits, as well as the vulnerabilities they most commonly exploit and their favored attack vectors, organizations can learn which vulnerabilities to patch as a priority," Marriott says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.