Aamir Lakhani, Global Security Strategist and Researcher, Fortinet
In cybersecurity terminology, an exploit is a bit of code or a program that takes advantage of vulnerabilities or flaws in software or hardware. An exploit is not malware, but rather a way to deliver malware like ransomware or viruses. The goal of exploits is to install malware or to infiltrate and initiate denial-of-service (DoS) attacks for example.
The recent exponential growth of computer peripherals, software advances, and edge and cloud computing has led to a corresponding increase in vulnerabilities. Of course, cybercriminals love having more systems to attack with exploit kits.
What is an Exploit Kit?
Exploit kits (EKs) are automated programs used by cybercriminals to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.
Examining How Exploit Kits Work
Exploit kits work silently and automatically as they seek to identify vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.
EKs don’t require victims to download a file or attachment. The victim needs only browse on a compromised website and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.
The events that must occur for an exploit kit attack to be successful, include:
- Targeting a compromised website, which will discreetly divert web traffic to another landing page
- Running malware on a host, using a vulnerable application as the gateway
- Sending a payload to infect the host, when the exploit is successful
Examples of Exploit Kits
Below is a list of exploit kits that have been used by cybercriminals in the past:
In the mid-2010s, Angler was one of the most powerful and frequently used EKs that enabled zero-day attacks on Flash, Java, and Silverlight. According to The Register, “At its…peak, the authors [of the Angler] were responsible for a whopping 40% of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually.”
The origins of the Blackhole exploit kit go back to 2010. It was apparently the preferred tool by cybercriminals for running drive-by downloads for over three years until the 2013 arrest of its author. After finding a website that could be exploited, cybercriminals would plant the Blackhole exploit kit and expose visitors to Blackhole-powered attacks. Then the exploit kit downloaded malware (often ransomware) on the PCs of visitors by taking advantage of any browser, Java, or Adobe Flash plug-in vulnerability it found.
In 2014, the Fiesta exploit kit gained popularity after the decline of the Blackhole exploit kit due to its source code being leaked and its founder arrested. Like earlier EKs, Fiesta worked by compromising a vulnerable website. After the website was compromised, visitors were redirected to the Fiesta landing page controlled by cybercriminals. Then different exploits based on the computer’s characteristics were downloaded.
The Flashpack exploit kit was also popular with cybercriminals in 2014 when there were campaigns that abused advertising networks. Flashpack EK was used to distribute various pieces of malware, including the information-stealing malware Zeus, the Dofoil Trojan, and the Cryptowall ransomware.
Researchers found that the Flashpack EK used free ads to distribute the threats. An example: when users accessed a website that served malicious ads (a.k.a. malvertising), they were brought by way of multiple redirects to a Flashpack exploit kit page that served up ransomware.
The GrandSoft exploit kit was another malvertising-based threat that redirected unsuspecting users and installed password stealing trojans, ransomware, and clipboard hijackers on their machines. In 2019, the GrandSoft EK was pushing the Ramnit banking trojan that attempted to steal victims’ saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more.
In 2015, the HanJuan exploit kit was popular and helped cybercriminals facilitate malvertising attacks. It used false ads and shortened URLs to trick users into landing on a webpage containing a HanJuan EK that targeted vulnerabilities in the Adobe Flash Player (CVE-2015-0359) and the Internet Explorer browser (CVE-2014-1776).
Another exploit kit that was popular in 2015 with cybercriminals was the Hunter EK, which initially targeted Brazilians via a phishing email. When the victim’s machine was comprised, a variant of a Brazilian banking trojan generically known as “Bancos” launched. This was a Brazilian banking trojan that used man-in-the-browser (MITB) techniques to steal banking and other financial credentials.
The Magnitude exploit kit, like other EKs, is a framework hosted by malicious actors to target browser vulnerabilities particularly for Internet Explorer. Because the popularity of IE has changed, the Magnitude exploit kits that target Microsoft’s browser have been much less active. Still, as recently as 2019, cybercriminals were using Magnitude EK in specific geographic regions where IE owned a sizable part of the market like in South Korea.
In the fall of 2021, SecurityWeek reported the Magnitude EK is “active” after it “added to its arsenal exploits for CVE-2021-21224 and CVE-2021-31956.”
According to Bank Info Security website, the Neutrino EK was “at one time  ranked as one of the world’s most popular exploit kits. Also known as exploit packs, these tools enable anyone – no coding experience required – to run large-scale campaigns designed to infect massive quantities of PCs with malware, turning them into ‘zombie’ nodes in a botnet.”
The Nuclear exploit kit was another cybercriminal favorite in the mid-2010s. According to an April 2016 Ars Technica article, Nuclear EK had “a sophisticated multi-tier server architecture, with a single master server providing automatic updates to ‘console’ servers—the systems used by paying customers to access and customize their particular paid attack packages. Those console servers in turn manage a rotating stock of landing pages served up through malicious links, exploited web pages and malicious advertisements.”
At the end of 2016, SecurityWeek ran a piece on its website about the Sundown exploit kit that used “a technique called steganography to hide its exploits in harmless-looking image files.” The practice of hiding information within a file become at this time “increasingly used by malicious actors, including malvertising campaigns.”
Analysis of Sundown EK forays revealed that attackers used PNG images to disguise various exploits, including ones targeting Internet Explorer and Flash Player vulnerabilities.
Sweet Orange exploit kit was also popular with criminals in the mid-2010s. It targeted the Windows operating systems Windows 8.1 and Windows 7 as well as web browsers Internet Explorer, Firefox, and Google Chrome. Sweet Orange EK’s authors tried to prevent the security community from getting access to the source code of the kit. They did this by limiting messages posted on invite-only cybercrime-friendly web communities and sell the kit to only those with a cybercrime reputation.
More to the Story
Today older kits have been leaked and are publicly available. Attackers have been taking these older kits and modifying them making them more resilient to newer security detection strategies. Also many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.
What should you do?
o Protect Your Endpoints: Advanced, automated endpoint protection, detection, and response.
o Web Security: Protection against web threats hidden in encrypted or non encrypted traffic.
o Zero Trust Access: As users continue to work from anywhere and IoT devices flood networks and operational environments, continuous verification of all users and devices as they access corporate applications and data is needed.