The conventional wisdom on exploit kits is that they rely mainly on exploits for older vulnerabilities, bugs that were disclosed and patched years ago. But new research shows that most of the popular exploit kits are actually going after flaws from 2015 and later, and the most commonly exploited vulnerabilities are in Flash and Java.
Researchers at Digital Shadows looked at 22 commonly used exploit kits, including Angler, Neutrino, RIG, Magnitude, ad Nuclear, and found that many of them have exploits in common, and many of the commonly exploited Flash bugs were from 2015 and 2016. The Adobe vulnerability that showed up in the most exploit kits–seven–was CVE-2015-0359, a double-free vulnerability that affected Flash on all platforms.
Rick Holland, vice president of strategy at Digital Shadows, said the implementation of newer exploits in these kits shows that attackers need to adapt their tactics as the landscape shifts.
“Criminals don’t make a change unless they have to.”
“We always hear that they’re going after older bugs, but it’s the ones from 2015 and beyond that are getting used,” Holland said. “It’s going to ebb and flow. It’s the nature of the beast. But criminals don’t make a change unless they have to. I’m still skeptical that the shift is because people are getting better at patching.”
It’s no surprise that many of the common exploit kits are using exploits for Flash and Java. Both of those pieces of software are on a huge percentage of computers, even though security experts have been warning users to remove or disable them for many years. Holland said removing those apps is easier said than done, especially for large organizations.
“It’s a long tail for organizations to get rid of Flash or Java, especially if you don’t have a configuration management platform to do it,” he said. “You can scan and patch all the time and never catch up. But understanding what’s being exploited at least gives you the ability to triage it.”
The Digital Shadows report found that more than two dozen Flash vulnerabilities were being exploited by the 22 kits studied.
“Our research into 22 exploit kits showed that the most commonly implemented exploits were for vulnerabilities in Adobe Flash Player, Oracle Java, Internet Explorer, Mozilla Firefox, Adobe Reader, and Microsoft Silverlight. We counted a total of 76 CVE numbers associated with these 22 exploit kits and discovered that exploits for Adobe Flash vulnerabilities were most commonly implemented, with a total of 27 vulnerabilities in Adobe Flash exploited,” the report says.
The researchers also looked at how exploit kit developers implement a given exploit and how quickly they do so. They found that developers often base their exploits on proof-of-concept code released by researchers and value remote-code execution bugs above all others.
“For a developer of an exploit kit, access to fully functioning exploit code developed by somebody else would almost certainly be less resource-intensive than attempting to develop their own exploit. Given the trend of vulnerabilities that allow for remote code execution (RCE) being exploited by exploit kits, coupled with the examples where such vulnerabilities have been implemented, we can see that when POC exploits become available for vulnerabilities allowing RCE, this substantially increases the likelihood that they will be implemented into exploit kits,” the report says.