A recent analysis of exploit kit activity by Trend Micro has shown that while exploit kit activity is at a fraction of what it was in 2016, the threat has not gone away. Links to malicious websites hosting exploit kits are still being distributed by spam email and malicious adverts are still being used to redirect web users to malicious websites hosting exploit kits.
Most of the exploit kits that were in use in 2016 have all but disappeared – Angler, Nuclear, and Neutrino. There was a rise in Sundown activity in 2017, but activity has now stopped, and Disdain and Terror exploit kits have similarly disappeared.
The demise of exploit kits as an attack vector has been attributed, in part, to the arrests of the operators of some of the most commonly used EKs such as Angler, although there have been fewer zero-day vulnerabilities to exploit. Many of the exploits used in exploit kits are for Flash vulnerabilities, and while use of Flash is declining, the creators of exploit kits are still attempting to exploit a handful of these Adobe Flash vulnerabilities. Many threat actors have switched to easier and less time-consuming ways of attacking businesses, but not all.
While most exploit kits are operating at a low level, the Rig exploit kit is still in use and has recently been updated once again. Further, there has been a steady increase in Rig exploit kit activity since April. Rig is most commonly used in attacks in Japan, which account for 77% of Rig activity.
The GrandSoft exploit kit is still active, although at a much lower level than Rig. This exploit kit was first seen in 2012 although activity all but disappeared until the fall of last year when it became active once again. Japan is also the country most targeted by the GrandSoft exploit kit (55% of activity), while the private exploit kit Magnitude is almost exclusively used in South Korea, which accounts for 99.5% of its activity.
For the most part, exploit kits are being used to exploit vulnerabilities that should have been patched long ago, such as the use-after-free vulnerability in Microsoft Windows’ VBScript engine (CVE-2018-8174) which was identified in April 2017 and patched in May 2017.
Internet Explorer vulnerabilities are also being exploited on vulnerable systems, with at least two exploits for IE flaws included in GrandSoft recently. Research conducted by Palo Alto networks showed that out of 1,583 URLs found in malicious emails, the majority were linked to exploit kits including Rig, Sundown, Sinowal, and KaiXin, with the latter still evolving with new exploits still being added – CVE-2016-0189 and CVE-2014-6322 – both IE VBScript flaws – the most commonly used.
Trend Micro has warned that the recent increase in zero-days – there were 119 last year – could see at least some exploits for these vulnerabilities introduced into exploit kits. MalwareBytes reported last month that a zero-day flaw in Flash Player’s ActionScript language had been incorporated into one exploit kit and was being actively used in attacks.
The fact that exploit kits are still being used strongly suggests that they are still working, which means that many systems are not being patched.
The threat from exploit kits does not appear to be going away, so it is still essential for businesses to ensure they are protecting against attacks.
Strict patch management practices are still important, as is the use of a web filter. Drive-by downloads still occur – unintentional downloads of malware by users in the belief that the files are genuine. Implementing a web filter can help to block these malware downloads, either by blocking specific file types or preventing end users from visiting known malicious websites. Web filters can also be used to block adware, which continues to plague businesses.