In cybersecurity terminology, an exploit is a bit of code or a program that takes advantage of vulnerabilities or flaws in software or hardware .
An exploit is not malware, but rather a way to deliver malware like ransomware or viruses .
The goal of exploits is to install malware or to infiltrate and initiate denial-of-service (DoS) attacks for example .
Aamir Lakhani, Global Security Strategist and Researcher at Fortinet
The recent exponential growth of computer peripherals, software advances, and edge and cloud computing has led to a corresponding increase in vulnerabilities .
Of course, cybercriminals love having more systems to attack with exploit kits .
What Is an Exploit Kit
Exploit kits (EKs) are automated programs used by cybercriminals to exploit systems or applications .
What makes an exploit kit very dangerous is its ability to identify victims while they browse the web .
After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice .
Examining How Exploit Kits Work
Exploit kits work silently and automatically as they seek to identify vulnerabilities on a user’s machine while they browse the web .
Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit .
EKs don’t require victims to download a file or attachment .
The victim needs only browse on a compromised website and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser .
The events that must occur for an exploit kit attack to be successful, include:
Targeting a compromised website, which will discreetly divert web traffic to another landing page
Running malware on a host, using a vulnerable application as the gateway
Sending a payload to infect the host, when the exploit is successful
Examples of Exploit Kits
Below is a list of exploit kits that have been used by cybercriminals in the past:
Angler
In the mid-2010s, Angler was one of the most powerful and frequently used EKs that enabled zero-day attacks on Flash, Java, and Silverlight .
According to The Register, “At its…peak, the authors [of the Angler] were responsible for a whopping 40% of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually .
”
Blackhole
The origins of the Blackhole exploit kit go back to 2010 .
It was apparently the preferred tool by cybercriminals for running drive-by downloads for over three years until the 2013 arrest of its author .
After finding a website that could be exploited, cybercriminals would plant the Blackhole exploit kit and expose visitors to Blackhole-powered attacks .
Then the exploit kit downloaded malware (often ransomware) on the PCs of visitors by taking advantage of any browser, Java, or Adobe Flash plug-in vulnerability it found .
Fiesta
In 2014, the Fiesta exploit kit gained popularity after the decline of the Blackhole exploit kit due to its source code being leaked and its founder arrested .
Like earlier EKs, Fiesta worked by compromising a vulnerable website .
After the website was compromised, visitors were redirected to the Fiesta landing page controlled by cybercriminals .
Then different exploits based on the computer’s characteristics were downloaded .
Flashpack
The Flashpack exploit kit was also popular with cybercriminals in 2014 when there were campaigns that abused advertising networks .
Flashpack EK was used to distribute various pieces of malware, including the information-stealing malware Zeus, the Dofoil Trojan, and the Cryptowall ransomware .
Researchers found that the Flashpack EK used free ads to distribute the threats .
An example: when users accessed a website that served malicious ads (a .
k .
a .
malvertising), they were brought by way of multiple redirects to a Flashpack exploit kit page that served up ransomware .
GrandSoft
The GrandSoft exploit kit was another malvertising-based threat that redirected unsuspecting users and installed password stealing trojans, ransomware, and clipboard hijackers on their machines .
In 2019, the GrandSoft EK was pushing the Ramnit banking trojan that attempted to steal victims’ saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more .
HanJuan
In 2015, the HanJuan exploit kit was popular and helped cybercriminals facilitate malvertising attacks .
It used false ads and shortened URLs to trick users into landing on a webpage containing a HanJuan EK that targeted vulnerabilities in the Adobe Flash Player (CVE-2015-0359) and the Internet Explorer browser (CVE-2014-1776) .
Hunter
Another exploit kit that was popular in 2015 with cybercriminals was the Hunter EK, which initially targeted Brazilians via a phishing email .
When the victim’s machine was comprised, a variant of a Brazilian banking trojan generically known as “Bancos” launched .
This was a Brazilian banking trojan that used man-in-the-browser (MITB) techniques to steal banking and other financial credentials .
Magnitude
The Magnitude exploit kit, like other EKs, is a framework hosted by malicious actors to target browser vulnerabilities particularly for Internet Explorer .
Because the popularity of IE has changed, the Magnitude exploit kits that target Microsoft’s browser have been much less active .
Still, as recently as 2019, cybercriminals were using Magnitude EK in specific geographic regions where IE owned a sizable part of the market like in South Korea .
In the fall of 2021, SecurityWeek reported the Magnitude EK is “active” after it “added to its arsenal exploits for CVE-2021-21224 and CVE-2021-31956 .
”
Neutrino
According to Bank Info Security website, the Neutrino EK was “At one time [2016] ranked as one of the worlds most popular exploit kits .
Also known as exploit packs, these tools enable anyone – no coding experience required – to run large-scale campaigns designed to infect massive quantities of PCs with malware, turning them into ‘zombie’ nodes in a botnet .
”
Nuclear
The Nuclear exploit kit was another cybercriminal favorite in the mid-2010s .
According to an April 2016 Ars Technica article, Nuclear EK had “A sophisticated multi-tier server architecture, with a single master server providing automatic updates to ‘console’ servers-the systems used by paying customers to access and customize their particular paid attack packages .
Those console servers in turn manage a rotating stock of landing pages served up through malicious links, exploited web pages and malicious advertisements .
”
RIG
In a November 2016 article on the ThreatPost website, the author says that at that time the “Most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear .
” The post goes on to outline the “unique” way “The RIG exploit kit combines different web technologies such as DoSWF, JavaScript, Flash and VBscript to obfuscate attacks .
” Threat researchers add that “A RIG attack is a three-pronged attack strategy that leverages either a JavaScript, Flash, VBscript-based attacks as needed .
”
Sundown
At the end of 2016, SecurityWeek ran a piece on its website about the Sundown exploit kit that used “A technique called steganography to hide its exploits in harmless-looking image files .
” The practice of hiding information within a file become at this time “increasingly used by malicious actors, including malvertising campaigns .
”
Analysis of Sundown EK forays revealed that attackers used PNG images to disguise various exploits, including ones targeting Internet Explorer and Flash Player vulnerabilities .
Sweet Orange
Sweet Orange exploit kit was also popular with criminals in the mid-2010s .
It targeted the Windows operating systems Windows 8 .
1 and Windows 7 as well as web browsers Internet Explorer, Firefox, and Google Chrome .
Sweet Orange EK’s authors tried to prevent the security community from getting access to the source code of the kit .
They did this by limiting messages posted on invite-only cybercrime-friendly web communities and sell the kit to only those with a cybercrime reputation .
More to the Story
Today older kits have been leaked and are publicly available .
Attackers have been taking these older kits and modifying them making them more resilient to newer security detection strategies .
Also many of these kits are being advertised for sale online .
Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates .
What should you do
Protect Your Endpoints: Advanced, automated endpoint protection, detection, and response .
Web Security: Protection against web threats hidden in encrypted or non encrypted traffic .
Internal Segmentation: Segment network and infrastructure assets regardless of their location whether on-premises or on multiple clouds .
Zero Trust Access: As users continue to work from anywhere and IoT devices flood networks and operational environments, continuous verification of all users and devices as they access corporate applications and data is needed .
Share on Facebook «||» Share on Twitter «||» Share on Reddit «||» Share on LinkedIn