Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:20 PM

Microsoft Office Files Most Popular for Exploit Tests

A new report examines attacker methodologies to better understand how exploit testing is conducted in the wild.

Security researchers who analyzed attackers' exploit testing process concluded that exploits never go out of style. Many can remain popular and reliable tools over time, partly due to dependence on legacy systems.

Recorded Future's Insikt Group sought to track exploit development and understand how attackers test exploits they develop or modify existing exploit code. To learn how this process would unfold in the wild, researchers evaluated several methodologies to find code being used to test exploits in VirusTotal data. Their research unearthed 621 files containing exploit code, based on VirusTotal's verdicts of exploits, between Nov. 1, 2019, and April 1, 2020.

They learned Microsoft Office files made up the largest share (45.7%) of potential testing files, followed by Portable Executable (Windows binary) files. The most commonly tested flaws are CVE-2014-6352 (Sandworm) and CVE-2017-0199. Attackers were usually seen testing exploits for Microsoft products, which researchers say is very likely due to the ubiquity of these tools.

Findings indicate older flaws, which often have easily accessible exploits or tutorials, remain popular among less advanced threat actors, red teams, and penetration testers. Researchers point out the attackers who use VirusTotal to conduct testing are likely of low sophistication and have "minimal concern" for the operational security of their work. Those who create and sell zero-day exploits more likely use other methods, such as no-distribute antivirus scanners.

Exploits do not fade away but can continue to prove reliable as legacy systems are still in use. "We do not get to stop defending against a vulnerability when the headlines go away," researchers report. Eight of the top 10 CVEs they saw had open source exploit code available, making these easily accessible to attackers who want to incorporate them into their toolsets.

Read the full report here.

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.