Attacks/Breaches
2/23/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Exploit Kit-Based Attacks Decline Dramatically

But it's too soon to call this downward trend a permanent shift, experts say.

Law enforcement actions and a relative dearth of zero-day bugs appear to have contributed to a sharp decline in exploit kit activity in recent months.

It's too soon, however, to say whether the decline represents a permanent or temporary shift away from the use of exploit kits to drop malicious payloads.

A recent report from Trend Micro showed that attacks involving exploit kits fell from 27 million in 2015 to a mere 8.8 million in 2016. The decline was especially noticeable in the second half of last year when attacks against Trend Micro customers involving the use of the notorious Angler exploit kit dropped to near zero from 3.4 million separate attacks in the first quarter of 2016.

Much of the sudden decline in exploit kit activity, according to Trend Micro, appears related to last year's arrest of 50 individuals in Russia believed associated with the Angler exploit kit. The arrests resulted in an almost immediate and significant drop off in exploit kit activity. To put that in perspective, Angler in 2015 accounted for more than 57% of all recorded incidents involving exploit kits.

In addition, Neutrino and Nuclear, two other popular exploit kits also stopped being actively used in 2016. While it is not clear what prompted their demise, it is likely that a lack of zero-day vulnerabilities played a part. There were a lesser number of zero-day vulnerabilities in 2016 compared to previous years making exploit kits less lethal than usual.

"The shelf life of exploitable vulnerabilities and zero-days is decreasing rapidly," says Patrick Wheeler, director of threat intelligence at Proofpoint another vendor that has reported a sharp decline in exploit kit activity recently. Total exploit kit activity declined a massive 93% between January and September last year, according to Proofpoint

Angler itself has been replaced by another exploit kit dubbed RIG. But overall attack traffic volume associated with exploit kits is nowhere near their highs of 2015.

"Essentially, software developers, security vendors, and organizations are patching vulnerabilities so rapidly now that exploit kits are simply much less effective than they used to be," he says. This has made it hard for threat actors to achieve reasonable returns on their investments in exploit kits.

"Malicious email volumes have increased dramatically while mobile attack kits and [exploit kits] for IoT devices and routers have all emerged to fill the void," he says.

Enterprises should not be lulled into a sense of false security by the drop off in exploit kit activity, says Jon Clay, director of global threat communications at Trend Micro. The decline does not necessarily mean exploit kits will not continue to be used in attacks, he says.

Vulnerable systems are still a viable way to compromise a system and gain a foothold into an organization. Enterprises should not use the trend as an excuse not to do proper patching, he says.

"We have started to see private exploit kits being developed and used by cyber gangs," with the resources to develop such kits on their own, he says. The operators of Lurk and Pawn Storm espionage campaigns are two examples of threat groups that have used their own exploit kits to attack targets, he says.

"So we could be seeing a trend where exploit kits go private versus public," he cautions.

Michael Marriott, a research analyst at Digital Shadows, says there's been a great deal of change in the exploit kit landscape over the past year. But it would be a mistake to overestimate the impact of the demise of Angler and Nuclear exploit kit activity.

He points to the recent public release of source code for an exploit kit dubbed Sundown as one example of the continued threat actor interest in exploit kits. "Following the release of this source code, it’s likely we will see more exploit kits being sold across criminal forums," he says.

"By understanding the most popular exploit kits, as well as the vulnerabilities they most commonly exploit and their favored attack vectors, organizations can learn which vulnerabilities to patch as a priority," Marriott says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.