Exploit kits remain a cybercrime staple against outdated software – 2016 threat landscape review series
Despite the disruption of Axpergle (Angler), which dominated the landscape in early 2016, exploit kits as a whole continued to be a threat to PCs running unpatched software. Some of the most prominent threats, from malvertising to ransomware, used exploit kits to infect millions of computers worldwide in 2016.
The prevalence of exploit kits as an infection vector can be attributed to these factors: 1) they continue to use old but effective exploits while efficiently integrating new ones, 2) they are easily obtained from underground cybercriminal markets; and 3) there remains a significant number of machines that are potentially vulnerable because they run unpatched software.
Using up-to-date browser and software remains to be the most effective mitigation against exploit kits. Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.
(Note: This blog post is the first in the 2016 threat landscape review series. In this blog series, we look back at how major areas in the threat landscape, including ransomware, macro malware, support scam malware, and unwanted software, have transformed over the past year. We will discuss trends that have emerged, as well as security solutions that tackle threats as they evolve.)
Meadgive gained ground as Axpergle is disrupted
In the first five months of 2016, Axpergle (also known as Angler exploit kit) infected around 100,000 machines monthly. However, sometime in June, the exploit kit vanished. Reports associated this development with the arrest of 50 hackers in Russia.
Axpergle is primarily associated with the delivery of the 32- and 64-bit versions of Bedep, a backdoor that also downloads more complex and more dangerous malware, such as the information stealers Ursnif and Fareit.
Figure 1. Monthly encounters by exploit kit family
The disappearance of Axpergle made way for other exploit kits as cybercriminals presumably looked for alternatives. The Neutrino exploit kit started dominating for around three months, but scaled down in September. Reports say that Neutrino operators went into “private” mode, choosing to cater to select cybercriminal groups.
A look at the year-long trend shows that Meadgive (also known as RIG exploit kit) filled the hole left by Axpergle and Neutrino (and Nuclear before them). By the end of 2016, while overall volume has gone down, most exploit kit activity can be attributed to Meadgive.
Meadgive has been around since March 2014. Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file.
Even with the decreased activity, exploit kits continue to be a global threat, having been observed in more than 200 countries in 2016. They affect the following countries the most:
- United States
- Canada
- Japan
- United Kingdom
- France
- Italy
- Germany
- Taiwan
- Spain
- Republic of Korea
Figure 2. Geographic distribution of exploit kit encounters
Exploit kits in the ransomware trail
As exploit kits have become reliable means to deliver malware, it is not surprising that ransomware, currently the most prevalent malware, continue to use them as launch pads for infection.
Meadgive, for instance, is known for delivering one of the most active ransomware in 2016. As late as December 2016, we documented new Cerber ransomware versions being delivered through a Meadgive exploit kit campaign, on top of a concurrent spam campaign.
Neutrino, which temporarily dominated in 2016, is associated with another prominent ransomware family. Like Cerber, Locky also uses both exploit kits and spam email as vectors. With the decreased activity from Neutrino, we’re seeing Locky being distributed more and more through spam campaigns.
Top malware families associated with exploit kits
Malware family | Related exploit kit family |
Backdoor:Win32/Bedep | Axpergle (Angler) |
Backdoor:Win64/Bedep | Axpergle (Angler) |
Ransom:Win32/Cerber | Meadgive (RIG) |
Ransom:Win32/Locky | Neutrino |
Trojan:Win32/Derbit | SundownEK |
Integrating exploits at a slower rate
While exploit kits rely on exploits for patched vulnerabilities, they also continually update their arsenal with newer exploits in the hope of casting bigger nets. This also allows them to take advantage of the window of opportunity between the release of a security fix and the time it is actually applied by users. Notably, the rate with which exploit kits integrate exploits for newly disclosed vulnerabilities is lower than in previous years.
Of the major exploits used by kits in 2016, one is relatively old—an exploit for a Microsoft Internet Explorer bug that was disclosed and patched back in 2014 (CVE-2014-6332). Four major kits use an exploit for the Adobe Flash vulnerability CVE-2015-8651, which was patched back in 2015.
Three exploits disclosed in 2016 were seen in exploit kits, showing that operators still attempt continually improve their tools. One of these is a zero-day exploit for Adobe Flash (CVE-2016-1019) used by Pangimop at least five days before it was patched. However, this particular zero-day is a “degraded” exploit, which means that it worked only on older versions of Adobe Flash. The exploit did not affect the latest version of the software at the time, because Adobe previously introduced stronger exploit mitigation, which Microsoft helped build.
Major exploits used by exploit kits
Exploit | Targeted Product | Exploit kit | Date patched | Date first seen in exploit kit |
CVE-2014-6332 | Microsoft Internet Explorer (OLE) | NeutrinoEK | November 11, 2014 (MS14-064) | November 19, 2014 |
CVE-2015-8651 | Adobe Flash | Axpergle, NeutrinoEK, Meadgive, SteganoEK | December 28, 2015 (APSB16-01) | December 28, 2015 |
CVE-2016-0189 | Microsoft Internet Explorer | NeutrinoEK | May 10, 2016 (MS16-051) | July 14, 2016 |
CVE-2016-1019 | Adobe Flash | Pangimop, NeutrinoEK | April 7, 2016 (ASPB16-10) | April 2, 2016 (zero-day) |
CVE-2016-4117 | Adobe Flash | NeutrinoEK | May 12, 2016 (ASPB16-15) | May 21, 2016 |
We did not see exploit kits targeting Microsoft’s newest and most secure browser, Microsoft Edge, in 2016. Only a few days into the new year, however, SundownEK was updated to include an exploit for an old vulnerability that was patched a couple of months prior. Microsoft Edge applies patches automatically by default, rendering the exploit ineffective.
It was also SundownEK that integrated steganography in late 2016. Steganography, a technique that is not new but getting more popular with cybercriminals, hides information like malicious code or encryption keys in images.
Instead of loading the exploit directly from a landing page, SundownEK downloads an image that contains the exploit code. This method is employed to avoid detection.
Stopping exploit kits with updates and a secure platform
While we see a willingness among cybercriminals to switch from exploit kits to spam and other vectors, there is a clear desire to continue using kits. We see cybercriminals switch from one kit to another, replacing kits as they become unavailable. Meanwhile, exploit kit authors continue to keep their wares attractive to cybercriminals by incorporating new exploits.
Keeping browsers and other software up-to-date can counter the impact of exploit kits. Microsoft Edge is a secure browser that gets updated automatically by default. It also has multiple built-in defenses against exploit kits that attempt to download and install malware. These defenses include on-by-default sandboxing and state of the art exploit mitigation technologies. Additionally, Microsoft SmartScreen, which is used in both Microsoft Edge and Internet Explorer 11, blocks malicious pages, such as landing pages used by exploit kits.
At the same time, running a secure platform like Windows 10 enables users to benefit from advanced security features.
Windows Defender uses IExtensionValidation (IEV) in Microsoft Internet Explorer 11 to detect exploits used by exploit kits. Windows Defender can also detect the malware that exploit kits attempt to download and execute.
Windows 10 Enterprise includes Device Guard, which can lock down devices and provide kernel-level virtualization based security.
Windows Defender Advanced Threat Protection alerts security operation teams about suspicious activities, including exploitation of vulnerabilities and the presence of malware, allowing them to detect, investigate, and respond to attacks.
MMPC