Angler, Magnitude, and Nuclear are a few of the most commonly used exploit kits criminals are using to deliver a variety of payloads from botnets to ransomware. Exploit kits are really just a means for malicious actors to get in the door. Once their payloads are installed, the payload is unique to the criminal, and the payload delivered has a profound impact on business operations.
The prevalence of exploit kits and the techniques favored by attackers changes quite often. Only a few years ago, Black Hole was the most popular exploit kit until its author, Dmitry “Paunch” Fedotov was arrested. In the years that followed his arrest, the use of Black Hole declined. Despite "Paunch" being sentenced to seven years in prison last month, exploit kit authors remain undeterred and vigilant in their derivatives.
Carl Leonard, principal security analyst at ForcePoint, said that Angler has become popular with malware authors over the past few months. “It’s updated rapidly with exploit code that is new. Many security vendors don’t know about it and don’t have the facility to protect against it,” said Leonard.
“Malware authors try to obfuscate the code. Very advanced malware authors would use protocol level manipulation as payload to send fragments of the exploits through to the end user so that the firewall doesn’t appreciate that this is an exploit,” Leonard said.
Where exploit kits have required a person going to a website and getting compromised, criminals are now going one step further.
“Three or four weeks ago, we detected a threat called Samsam being installed from a network vulnerability. The Samsam actors thought of combining network-based vulnerabilities with ransomware, which opens the door for more targeted attacks using a ransomware spring like a network-based worm,” said Craig Williams, security outreach manager, Cisco Talos.
“If you have systems and files being encrypted or file share becomes encrypted, that’s a huge impact. Dozens of hospitals have been attacked recently, and for some it has taken them days to recover. That means massive down time, rescheduling major surgeries. It’s literally putting lives at risk,” Williams said.
Through their networks in the dark web, nefarious actors are informed that new exploits are seen in the wild, making them aware of even zero-day vulnerabilities before the general public. Leonard said, “Under responsible disclosure, a researcher will identify the use of a brand new exploit script to a vendor. The vendor then releases a patch that can be applied to the business.”
Businesses, though, struggle to apply those patches expeditiously. The level of sophistication and the relative ease with which criminals can access exploit kits compromises business operations and has security teams on overdrive trying to expedite the patching process.
Sign up for Computerworld eNewsletters.