Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/18/2015
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Exploit Kit Explosion Will Keep Victims Off Kilter

Exploit kit C&C infrastructure expanded by 75% in Q3.

Exploit kit activity is on a massive upswing as figures from a new report out today from Infoblox and IID show that the command and control infrastructure behind these kits mushroomed last quarter.

The study shows that the creation of DNS infrastructure for exploit kits jumped by 75% year-over-year in Q3. As a result, the report's authors say that enterprises and users at large should steel themselves for a surge of activity as attackers begin to take advantage of this built-up infrastructure.

The black market engines for the cybercrime economy, exploit kits offer criminals a turnkey method of propagating malware, exploiting victim machines, and controlling these machines to carry out further attacks such as theft, distributed denial of service attacks, and lateral attacks into networks to which these compromised machines are connected. When exploit kits first coming to prominence in 2012 with the Blackhole kit's explosion, licensing ran for as much as $10,000 per month. But as competition from numerous exploit kit developers has crowded the market, pricing has come down considerably, with prices anywhere from $30 to $500 per month, according to experts with Trustwave. They say that small investment can yield income of over $80,000 per month if criminals use their kits effectively.

The report today showed that four malware families in particular drove this increase: Angler, Magnitude, Neutrino, and Nuclear. This year, Angler in particular has stepped into the void that was left behind by Blackhole after its creators were arrested in October 2013. According to a report from Sophos this summer, Angler at that time comprised 82% of the exploit kit market.

"The Angler exploit kit is one of the most sophisticated currently used by cybercriminals and leads exploit kit DNS activity for Q3," Infoblox researchers wrote. "Angler exploit kits are often quickly updated with the 
latest zero-day vulnerabilities in popular software and use sophisticated obfuscation techniques, making it difficult for traditional antivirus technologies to detect."

For example, the success of Cryptowall 3.0 has risen a lot in thanks to Angler, which has been widely used to launch these ransomware attacks, the report says.

According to Infoblox, exploit activity tends to track along a predictable cycle.

"Cybercriminals usually go through a cycle of 'planting' and 'harvesting' when it comes to malicious infrastructure. During the planting phase, there is a significant rise in the number of malicious domains created for malware and exploit kits," the report explains. "Once this phase ends, the attackers begin to harvest the extensive infrastructure they have built to launch attacks, steal data, and generally cause harm to their victims."

If these patterns remain consistent, expect to see a ramping-up in the execution of attacks by exploit kits in the coming months as attackers take advantage of the empire building they did in Q3 to support future attacks. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
50%
50%
"Sly"L542,
User Rank: Apprentice
12/1/2015 | 4:37:21 PM
Excellent Article
Behavioral endpoint solutions needs to be implemeted on the user device. In additional orgaization need to implement full packet siems in their enivorment. This will allow to rebuild attacks and hunt down maware and zero day attacks. 
50%
50%
"Sly"L542,
User Rank: Apprentice
12/1/2015 | 4:37:05 PM
Excellent Article
Behavioral endpoint solutions needs to be implemeted on the user device. In additional orgaization need to implement full packet siems in their enivorment. This will allow to rebuild attacks and hunt down maware and zero day attacks. 
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...