Security researchers who analyzed attackers' exploit testing process concluded that exploits never go out of style. Many can remain popular and reliable tools over time, partly due to dependence on legacy systems.
Recorded Future's Insikt Group sought to track exploit development and understand how attackers test exploits they develop or modify existing exploit code. To learn how this process would unfold in the wild, researchers evaluated several methodologies to find code being used to test exploits in VirusTotal data. Their research unearthed 621 files containing exploit code, based on VirusTotal's verdicts of exploits, between Nov. 1, 2019, and April 1, 2020.
They learned Microsoft Office files made up the largest share (45.7%) of potential testing files, followed by Portable Executable (Windows binary) files. The most commonly tested flaws are CVE-2014-6352 (Sandworm) and CVE-2017-0199. Attackers were usually seen testing exploits for Microsoft products, which researchers say is very likely due to the ubiquity of these tools.
Findings indicate older flaws, which often have easily accessible exploits or tutorials, remain popular among less advanced threat actors, red teams, and penetration testers. Researchers point out the attackers who use VirusTotal to conduct testing are likely of low sophistication and have "minimal concern" for the operational security of their work. Those who create and sell zero-day exploits more likely use other methods, such as no-distribute antivirus scanners.
Exploits do not fade away but can continue to prove reliable as legacy systems are still in use. "We do not get to stop defending against a vulnerability when the headlines go away," researchers report. Eight of the top 10 CVEs they saw had open source exploit code available, making these easily accessible to attackers who want to incorporate them into their toolsets.
Read the full report here.