A new research conducted by Digital Shadows reveals that 76 vulnerabilities are being exploited in exploit kit attacks. 27 of them are found in Flash. Despite the popularity of Flash flaws, an IE bug prevails in most attack scenarios and has proven to be attackers’ favorite means of exploit. Some of the flaws date back to 2013.
In the past, plenty of exploit kits were detected in the wild. In 2016, only a few of them are still seen as part of active malicious campaigns. The list of active EKs seen throughout 2016 includes Angler, Nuclear (both declared dead in April and June), Magnitude, RIG, Sundown, and Hunter. All the EKs are based on different flaws, in most cases public and patched. The choice of vulnerabilities to incorporate mostly depends on the skills of the malicious actor.
In addition to Flash and IE, Java is also quite famous in terms of exploitable vulnerabilities employed in EK-based attacks. Other exploited technologies are Mozilla Firefox, Adobe Reader, and Microsoft Silverlight.
So, Which Are the Most Popular Vulnerabilities Used in Exploit Kit Attack Scenarios?
First Place: CVE-2013-2551 – the IE Bug Mostly Favored by Attackers
CVE-2013-2551 Official Description
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka “Internet Explorer Use After Free Vulnerability,” a different vulnerability than CVE-2013-1308 and CVE-2013-1309.
As you can see, the bug is affecting IE6 to IE10 and causes remote code execution. Such an attack was demonstrated back in 2013 during the Pwn2Own completion at CanSecWest.
Second Place: CVE-2014-0515 – the Most Popular Bug in Flash Deployed by EK Operators
CVE-2014-0515 Official Description
Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 188.8.131.52 on Windows and OS X, and before 184.108.40.2066 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.
Third Place: Split between CVE-2013-2465 in Java and CVE-2014-0569 in Flash
CVE-2013-2465 and CVE-2014-0569 Official Descriptions
CVE-2013-2465 is an unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. The flaw allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, as explained by MITRE researchers.
CVE-2014-0569, on the other hand, is an:
Integer overflow in Adobe Flash Player before 220.127.116.11 and 14.x and 15.x before 18.104.22.168 on Windows and OS X and before 22.214.171.1241 on Linux, Adobe AIR before 126.96.36.1993, Adobe AIR SDK before 188.8.131.522, and Adobe AIR SDK & Compiler before 184.108.40.2062 allows attackers to execute arbitrary code via unspecified vectors.
Exploit Kit Developers Are Evolving Together with the Malware Market
Digital Shadow researchers have concluded that the exploit kit market is quickly changing and adapting itself to the needs of malware operators and to the changes in software. As a result, many EKs are dropping support for older exploits and embracing newer flaws, mostly disclosed after 2015.
Furthermore, “while CVE-2013-2551 [the IE bug described above] was the most shared of all the known vulnerabilities exploited, it is not known if this remains viable or present within exploit kits active at the time of writing,” the report concludes.