Microsoft Office Files Most Popular for Exploit Tests

A new report examines attacker methodologies to better understand how exploit testing is conducted in the wild.

Dark Reading Staff, Dark Reading

June 4, 2020

2 Min Read

Security researchers who analyzed attackers' exploit testing process concluded that exploits never go out of style. Many can remain popular and reliable tools over time, partly due to dependence on legacy systems.

Recorded Future's Insikt Group sought to track exploit development and understand how attackers test exploits they develop or modify existing exploit code. To learn how this process would unfold in the wild, researchers evaluated several methodologies to find code being used to test exploits in VirusTotal data. Their research unearthed 621 files containing exploit code, based on VirusTotal's verdicts of exploits, between Nov. 1, 2019, and April 1, 2020.

They learned Microsoft Office files made up the largest share (45.7%) of potential testing files, followed by Portable Executable (Windows binary) files. The most commonly tested flaws are CVE-2014-6352 (Sandworm) and CVE-2017-0199. Attackers were usually seen testing exploits for Microsoft products, which researchers say is very likely due to the ubiquity of these tools.

Findings indicate older flaws, which often have easily accessible exploits or tutorials, remain popular among less advanced threat actors, red teams, and penetration testers. Researchers point out the attackers who use VirusTotal to conduct testing are likely of low sophistication and have "minimal concern" for the operational security of their work. Those who create and sell zero-day exploits more likely use other methods, such as no-distribute antivirus scanners.

Exploits do not fade away but can continue to prove reliable as legacy systems are still in use. "We do not get to stop defending against a vulnerability when the headlines go away," researchers report. Eight of the top 10 CVEs they saw had open source exploit code available, making these easily accessible to attackers who want to incorporate them into their toolsets.

Read the full report here.








Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights