A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future.
The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was singled out by Microsoft for using separate Flash and Windows zero days in targeted attacks this year.
The Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks. Despite the improvements in Flash security, attackers still take a shine to these exploits.
Recorded Future’s report “New Kit, Same Player” says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year’s top 10 vulnerabilities were present in a similar analysis done last year.
Exploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear. Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums. The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab confirmed the connection between the Lurk gang and Angler distribution in an August report.
Nonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware. Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim’s browser to the exploit kit’s landing page. Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt.
CVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunter. It, by far, had the highest penetration into exploits kits, according to Recorded Future.
But since Angler’s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits. Sundown’s payload, however, differs in that it drops banking Trojans on users’ machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks.
Sundown also contained CVE-2016-0189, an Internet Explorer bug used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well. The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times. CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three. CVE-2016-4117 was used by the ScarCruft APT group, Kaspersky Lab researchers said in June, in watering hole attacks.