Aamil Karimi is a former US Army All-Source intelligence analyst and spent over 6 years in Afghanistan working with the US Army, Air Force Office of Special Investigations, and supporting USSOCOM as an... Read More
Over the last 12 months, Fidelis’ Threat Research Team (TRT) has observed a constant trend in activity related to exploit kits. In addition to older exploit kits like RIG, Magnitude, and Fallout being updated with newer modules and capabilities, 2019 and 2020 saw new variants of this malware type being developed and sporadically surface in campaigns.
Despite being far from their peak in activity seen in 2016, TRT Intelligence assesses that exploit kits are a highly relevant and actionable threat to organizations. This post will highlight the relationship between exploit kits and a familiar topic discussed in our previous blog reports related to prioritizing terrain visibility and the relevance of addressing older, common vulnerabilities.
At a very rudimentary level, an exploit kit (EK) infection works like this: a victim navigates to a compromised webpage (oftentimes via phishing email) or a webpage with a malicious advertisement (also known as malvertising), which then redirects the traffic to another page where the EK is hosted, known as the landing page. The EK then runs various processes or commands from the browser to identify and subsequently exploit any vulnerable software that the EK is capable of exploiting, oftentimes being a browser or browser-based application vulnerability. This is followed up with the downloading of another malware or second-stage payload onto the victim’s computer, which varies by campaign.
Figure 1: Basic Exploit Kit Compromise Chain of Events
Exploit kits (EKs) dominated the cyber threat landscape in the early to mid-2010s, and very suddenly tapered off between 2015 – 2016, although they’ve been around since as early as 2006. The decline in exploit kit activity was marked by the takedown and arrests of operators behind two massive exploit kit networks, BlackHole EK (BHEK) and Angler EK.
For the next few years, the threat of EKs took a backseat to other trends in the cyber threat landscape. Data breaches of high-profile organizations, ransomware compromises, and the pursuit of nation-state adversary attribution have occupied the resources and efforts of both cybersecurity analysts and media outlets. These threats are not necessarily new but have gained much higher levels of interest in recent years. And rightfully so, especially ransomware and breach/exfiltration incidents, which result in tremendous financial and reputational cost to the victim (think Maersk, Home Depot, Equifax, PEMEX, Garmin and the hundreds of other incidents without media coverage).
EKs were eventually deemed an irrelevant threat and interest waned as it was no longer considered trendy. But the work of a handful of diligent researchers and observations over the last 12 months leads Fidelis’ TRT Intelligence to conclude that EKs are anything but irrelevant. EKs have been successfully operating under the radar and should be considered an important and reemerging risk that should start taking a higher priority in research and analysis.
The most well-known EKs are also the least active now, which could be contributing to the misnomer of EKs being inactive by those not keeping close tabs. Names like BlackHole, Angler, and Neutrino echo back to the golden years of EK activity. In the last year, not only have some older names seen a resurgence, but newer strains have sporadically popped up in campaigns exploiting familiar vulnerabilities and delivering common payloads seen in other campaigns.
Figure 2 below illustrates a good portion of EK variants that have been reported or analyzed as active over the last 12 months. Many of these EKs and their capabilities are advertised on darkweb forums, while others are based off analysis of live samples by researchers. Names like RIG, KaiXin, Magnitude, Underminer, Threadkit, and Fallout have been around for several years, while 2019 and 2020 saw the development of newer strains like Radio, Lord, Bottle, Purple Fox, and Capesand.
Figure 2: Active Exploit Kits Weighted by Associated Vulnerabilities
Figure 2 also emphasizes vulnerability exploitation capabilities for each of the EKs. This suggests RIG and Magnitude variants have a more diverse exploit capability than others based on the number of vulnerabilities reported and observed to be exploited by these strains.
In Figure 3 below, the links were reversed to highlight the actual vulnerabilities being exploited. These links were derived from actual malware samples analyzed and reported by researchers, and discussions and advertisements on darkweb forums. Microsoft Office, Microsoft Internet Explorer, and Adobe Flash are shown to be among the top software and services targeted in EK compromises, and Microsoft Silverlight was popular in previous years. The links supplement a theme previously covered by Fidelis TRT Intelligence, that older vulnerabilities in common and popular software will continue to be exploited by current malware campaigns. This includes vulnerabilities that are 2 years or older. Granted, it must be acknowledged that some of the very old vulnerabilities in the chart are historical references to show how certain EKs managed to adapt and add new exploit features throughout the years of their existence. RIG and Magnitude have been around for several years and their repertoire of exploitation goes back to vulnerabilities from 2013 and 2015, and it does not necessarily mean all of those are being exploited today. This does not take away from the fact that in recent years, many of these exploit kits are still targeting vulnerabilities from 2016 – 2018, which suggests these older attack vectors likely still work.
Figure 3: Vulnerabilities Commonly Targeted by Various Exploit Kits
An EK compromise almost always results in the download of another malware, or second-stage payload. Past and present campaigns have shown a wide array of malware types downloaded onto the victim’s computer, ranging from banking trojans, spyware/stealers, cryptocurrency miners, and even ransomware. Specific malware families and strains delivered via EK compromise in campaigns over the last 12 months include:
Fidelis’ TRT Intelligence assesses with high-confidence that the threat posed by EKs is highly likely to remain relevant in the cyber threat landscape, if not increase, as new strains and updated capabilities to existing strains continue to improve and develop. EK development and use has taken a multi-year hiatus in terms of popularity, but the risk of compromise from EKs due to the ease of use and ubiquity of EK resources on underground forums is still present and very much real.
The list of common vulnerabilities exploited by EKs is extensive, as is the number of different malware and payloads delivered upon successful exploitation. Adversaries constantly target the weakest link in terms of vulnerabilities, and this is largely because this technique works. EKs provide a ready-made and efficient vehicle for exploitation of these vulnerabilities. The best course of action to defend against EK compromise is to maintain proper terrain visibility and asset inventory and to ensure proper patching and vulnerability management is maintained as much as possible.
TRT has previously assessed that high priority, critical vulnerabilities in Microsoft Office, Internet Explorer, and Adobe products, will continue to pose a significant risk to individuals and organizations. These vulnerabilities can be scanned for and exploited by various malware campaigns including EKs.
Other common software and services that will continue to be leveraged by cyber-criminal and nation-state adversaries, with or without EKs, include Oracle WebLogic, MS Sharepoint, SQL Server, Exchange Server, various Apache frameworks, content management systems (e.g.: Drupal, Joomla, and WordPress, notably in their plugins and extensions), networked storage devices like QNAP, and VPN services and clients.
TRT has referenced several emerging vulnerabilities to be aware of in our recent Monthly Threat Intelligence Summary. Going forward, TRT Intelligence assesses that common older vulnerabilities, including those mentioned earlier, will continue to be exploited in malicious campaigns. As Flash and Internet Explore are phased out, adversaries and malware campaigns will pivot towards vulnerabilities in browsers like Microsoft Edge and Mozilla Firefox, which are already reported to be incorporated in EK activity as well as nation-state APT campaigns. A larger and prolonged work-from-home force also expands the target area for adversaries to leverage EKs against unsuspecting users.
Fidelis’ TRT focuses on relevant threats that are assessed to be of high risk to our customers. These include tools and tactics that continue to be successfully leveraged by adversary groups to compromise their targets. While maintaining vigilance on fringe threats and the most dangerous potential courses of action, the tried and true tactics and likely courses of action that continue to be carried out help ensure that customers can be protected by the most common threats.