Exploit Kits: A Prevailing Vector for Malware Distribution

TLP: WHITE | Since first appearing around 2006, exploit kits (EK) have evolved into one the most prevalent web-based vectors for malware distribution and a threat facing nearly all internet users. An EK is a malicious toolkit designed to distribute different malware variants by exploiting common vulnerabilities found in outdated or unpatched software applications, such as web browsers and plugins. EKs are increasingly automated, sophisticated, and effective at infecting user machines due to the abundance of exploitable vulnerabilities that often go unpatched for weeks or even months. Additionally, the software applications targeted by EKs are present on a large majority of endpoints in the U.S., including Adobe Flash Player, Internet Explorer, Java and Microsoft Silverlight. The criminal developers responsible for creating these malicious toolkits are able to deploy updates that exploit the most current vulnerabilities, such as multiple Adobe Flash zero-day vulnerabilities discovered in January and July of 2015. Although the overall number of new and active EKs has decreased from a peak in 2012-2013, the NJCCIC assesses EK infections will continue to increase throughout 2015 as malicious actors capitalize on the window of opportunity between when vulnerabilities are discovered and software patches are released and implemented. The NJCCIC recommends that organizations and home users immediately apply updates to operating systems, content management systems, web browsers, and plugins; consider uninstalling or disabling applications and plug-ins that are not essential to daily operations; and regularly educate users on the latest tactics used in malicious emails and advertising.

Threat Overview

EKs automate the exploitation of client-side vulnerabilities in popular software applications in order to maximize successful infections and serve as a platform to deliver payloads such as Trojans, spyware, ransomware, and other malicious software. A key characteristic of EKs is the ease of use and affordability, making it possible for a novice hacker with limited resources to launch a successful and profitable malware campaign. Malicious actors have a variety of EKs from which to choose, as they are widely available for rent or purchase through black-market websites. An EK typically provides a user-friendly graphical user interface (GUI) and the capability of monitoring the infection rate, as well as remotely controlling the exploited system. EKs are often developed in one country, sold in another, and used in a third to attack a fourth – making it difficult to attribute malicious activities to threat actors or country of origin.

As of January 2015, EKs delivered more than two-thirds of all malware observed by anti-malware software company Malwarebytes. Additionally, Malwarebytes reported that two billion mainstream website visitors were redirected to criminal servers in a one month period, and a single EK on a high-traffic site can infect 6,000 users within a half hour. The sustained success of these toolkits over the last several years, combined with user-friendly interfaces and low technical barriers, have made EKs an attractive option for profit-motivated cybercriminals. According to Microsoft, individual EKs can yield up to $50,000 in a single day for an attacker.
Analysis by Trend Micro revealed that the U.S. was the target of 57% of all exploit kit attack activity in 2014. While EK activity has primarily been attributed to criminal actors, the security firm Symantec observed the use of EKs among cyberespionage groups in 2014 and posed the possibility of EKs designed to target critical infrastructure through exploiting Industrial Control Systems (ICS).
EKs pose a threat that requires a multifaceted mitigation strategy encompassing both web-based detection as well as behavior and file-based detection solutions. The first line of defense, however, is the timely patching of systems. Although EKs have recently targeted zero-day vulnerabilities, the majority of exploits are targeting known vulnerabilities with existing patches for applications such as Adobe Reader, Java, and Internet Explorer. In their annual Data Breach Investigation Report, Verizon underscored the risk organizations accept by not updating their systems, reporting that 99.9% of exploited vulnerabilities in 2014 were compromised more than a year after the Common Vulnerability and Exposure, commonly referred to as CVE, was published.
For more information on current Exploit Kits impacting US victims, including resources, indicators, and mitigation recommendations, see our Exploit Kits Threat Profile.