Top 3 Exploit Kit Threats

It's no secret that the threat landscape provides as many twists and turns as an M. Night Shyamalan flick, with new tactics and malware variants cropping up on a seemingly daily basis. With the enormous task of measurably reducing cyber risk within the business, security practitioners couldn't possibly be expected to stay on top of each threat aimed at their organization, but chances are the C-suite expects them to.

As headlines continue to glom on to massive cybersecurity events, like the recent WannaCry ransomware attacks or the distributed denial-of-service assaults launched by IoT botnets, we've decided to focus on highlighting one that cybercriminals have been leveraging for years; exploit kits (EK).

These hacking toolkits take advantage of vulnerabilities in systems and devices with the ultimate goal of compromising the machines. From there, attackers can benefit in multiple ways – from siphoning financial information to make illegal purchases to swiping sensitive data they could sell in the cyber underground. As Trend Micro describes, the typical exploit kit features a management console, vulnerabilities for different applications, and other functions that make it a user-friendly attack method for cyber swindlers.

EKs have been spotted since 2006, and their use has grown and subsided as other attack methods gained popularity. Today, EKs are still widely leveraged, so we've caught up with one security expert who highlighted three that should be on your radar and what you can do to protect your organization and employees.

The Expert

 Holger Unterbrink

The Exploit Kits

1.Magnitude

At one point, the Magnitude EK was the talk of the town for cybercriminals, netting as much as $60,000 per week for some. This cyber threat first broke out onto the scene after a successful attack against PHP.net in 2013 which resulted in users being redirected to Magnitude via a compromised JavaScript file. Once there, the EK targeted two common vulnerabilities within Adobe Flash – CVE-2014-0515 and CVE-2014-0569 – to compromise visitors. EKs such as Magnitude are typically used for “mass rooting,” says Holger Unterbrink, a security researcher at Cisco Talos. “Since the middle of last year, we are seeing a lot of movement in the exploit kit market,” Unterbrink says. Although the activity for many large EKs – like Angler and Magnitude – has subsided, this doesn’t mean that they’re not being leveraged by cyber crooks. In many cases, their activity may have gone “private,” meaning they’re only used by a small threat group or are not available for rent anymore, Unterbrink says. 

2. RIG

The arrest of a Russian cybercrime gang in the summer of 2016 marked the demise of the Angler EK, one of the most notorious cyber threats to date which was credited for the lion’s share of EK activity. Once Angler was seemingly out of the picture, the RIG EK attempted to fill the gap. Like other EKs, the threat actors behind RIG used gates to redirect their victims to it. But RIG was unique in that it combined different web technologies, such as JavaScript, Flash, and VBscript to conceal the attack and “make it difficult to reverse engineer and determine how the attack progresses to completion,” according to research by Talos Security. Going one step further, the malware authors also made sure that the scripts looked different for every session, ensuring it can’t be detected by string matches or hash values. Once the EK market seemed to go silent, new threats “like RIG, took over the market leadership,” Unterbrink says. Some experts have even deemed RIG as the EK to watch out for in the summer of 2017.

3. Terror

And then there was one. In a cybercriminal's eyes, the Terror EK is like the latest jersey from favorite Premiere League team. Sure, you already have last season's kit and this season's hasn't changed too much, but there are just enough new details that entice you to purchase it. Researchers picked up on Terror's activity recently have it's gaining momentum. With recent enhancements which include anti-detection features and JavaScript code that evaluates the victim's browser environment, Terror has evolved quickly. This EK is another one of the "news players" that Unterbrink security practitioners should be aware of. The latest research on this EK indicates that once it evaluates data regarding the victim's environment, it searches for successful exploits "depending on the victim's operating system, patch level, browser version, and installed plugins." As of late, EKs aren't using zero-days anymore, says Unterbrink. "The campaigns are almost totally relying on the exploitation of known vulnerabilities," he says.

The Advice 

Prepare your employees

A common mistake that many security managers make is overestimating the knowledge and security behavior of their users, Unterbrink says. To combat any of these EKs, user education is probably the most important solution. “These EKs mainly use known vulnerabilities as well as social engineering and phishing tactics to exploit users,” says Unterbrink. “As a result, end user education becomes an important aspect of protection.” An employee that’s trained in recognizing spam and spotting phishing emails goes a very long way. Unterbrink suggests enlisting the help of the many third-party companies that provide user awareness programs and fake phishing services to train users up.

Layer your security

Security managers should be implementing countermeasures such as defense-in-depth. According to Unterbrink, this is the kind of “state of the art” approach to security that organizations should have in place. “Network security combines multiple layers of defenses at the edge and in the network,” he says. “Each network security layer implements policies and controls. Authorized users gain access to network resources, but malicious actors are blocked from carrying out exploits and threats.” When it comes to endpoints, advanced malware protection isn’t a bad idea because it also helps with detailed forensic information to analyze attack chains and prevent future ones from taking place.
 

Patch

Although he believes that the EK activity will continue to go down as operating systems grow more secure, security updates are of the utmost importance. If EKs are known to focus on exploiting known vulnerabilities, it’s imperative to keep making sure security bugs are fixed in time. “Users and security teams must keep all software – especially Office apps and browser plugins – up to date to ensure that all known vulnerabilities are patched,” Unterbrink says.