State Of The Exploit Kit
Exploit kit traffic is down considerably following the demise of Nuclear and Angler, but many researchers see it only as a temporary disruption.
September 26, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt04025d9e360ce8a7/64f0d92d8e08df2b63942526/01-exploit.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Turnkey exploit kits -- built in with malware infection mechanisms and distribution channels, command and control infrastructure, and everything a cybercriminal would need to attack users for the sake of data theft and other nefarious purposes -- have long been the bane of the cybersecurity landscape.
These kits put cutting-edge technical capabilities at the fingertips of crooks with very little geek cred but open pocketbooks, broadening the possibilities of wide-scale infection for profit.
On the good-news front, exploit kits have seen a massive slowdown in 2016. However, on the not-so-good-news front, many researchers believe that it is only a matter of time before the criminals pick up the pace again.
Last year was an epic one for exploit kit growth. According to Trend Micro, by fourth quarter the year-over-year growth doubled from 2014. For all of this strength in 2015, malware researchers found that exploit kit activity started slowing down in the spring of this year. They attribute it to the disappearances of two of the most popular kits of the previous year: Angler and Nuclear.
The first big exploit kit disruption came in April after the Check Point Research Team published an in-depth report detailing the operational capabilities and control mechanisms of the Nuclear Exploit Kit's infrastructure, including the control panel, landing page served by the exploit kit, the master server, infection flow, and other internal logics. Shortly thereafter, Nuclear's infrastructure went dark.
Even more impactful, though, has been the disappearance of Angler. The far-and-away front runner in exploit kit prevalence at the start of the year, Angler in January was reported by Palo Alto Networks to have compromised over 90,000 websites, including 30 in the Alexa Top 100,000. But by mid-June, researchers reported that Angler traffic had essentially disappeared, and with it the period of time from April to June saw a 96% reduction of overall exploit kit activity as a result, according to researchers with Proofpoint.
What happened to Angler is the big mystery of the year for researchers, though many speculate that the Lurk gang arrests of 50 cybercriminals announced in early June by the Russian FSB, may have had a connection, either because the Angler operators themselves were swept up then or because they're laying low as a result.
"With the recent 50 arrests tied to Lurk in mind, and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and the beginning of 2016...we might think there is a connection and that some actors are stepping back," security researcher Kafeine wrote at the time.
In spite of the slowdown, exploit kits haven't disappeared. They just seem to be in an adjustment period. Just like Angler stepped in to fill the void left behind by the shutdown of the Blackhole exploit kit following its creators' arrests in 2013, researchers expect traffic to rebound or some other distribution mechanism to fill the void left behind. As things stand, there are five major exploit kits still active: Hunter, Magnitude, Neutrino, RIG, and Sundown, according to researchers with Digital Shadows.
According to Digital Shadows, those kits that are left behind are in the process of updating their mechanism, with many now primarily targeting vulnerabilities found after 2015. These researchers reported that 76 CVE numbers were associated with the prevalent exploit kits of today. Tops among favorite application targets is Flash, with Java and Internet Explorer coming in second and third, respectively.
And as exploit kits evolve, ransomware is playing a big part in their schemes. According to research done by Malwarebytes in August, the incidence of ransomware found within exploit kits increased by 259% in the spring and summer of 2016 alone.
And as exploit kits evolve, ransomware is playing a big part in their schemes. According to research done by Malwarebytes in August, the incidence of ransomware found within exploit kits increased by 259% in the spring and summer of 2016 alone.
Turnkey exploit kits -- built in with malware infection mechanisms and distribution channels, command and control infrastructure, and everything a cybercriminal would need to attack users for the sake of data theft and other nefarious purposes -- have long been the bane of the cybersecurity landscape.
These kits put cutting-edge technical capabilities at the fingertips of crooks with very little geek cred but open pocketbooks, broadening the possibilities of wide-scale infection for profit.
On the good-news front, exploit kits have seen a massive slowdown in 2016. However, on the not-so-good-news front, many researchers believe that it is only a matter of time before the criminals pick up the pace again.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024