Skip to main content

Exploitkits

Swarm of Bots

Part of a cybercriminal's toolbelt is a series of "exploit kits" that delivers and execut a payload if a suitable vulnerability is found. Here are some of the most notorious exploit kits, what they did, and some of their limitations:

  1. Angler Exploit Kit

    Was one of the most advanced EKs. It rapidly integrated exploits for newly discovered vulnerabilities, focusing on Flash, Java, and Internet Explorer. It employed domain shadowing to hide its infrastructure and delivered a variety of payloads, including ransomware like CryptoWall.

  2. Blackhole Exploit Kit

    An early and popular EKs, Blackhole primarily targeted Java, Adobe Reader, and Flash. It offered a user-friendly dashboard for its customers and was frequently updated. Blackhole ended with the arrest of its creator in 2013.

  3. Nuclear Exploit Kit

    Nuclear targeted a broad range of vulnerabilities, including those in Internet Explorer, Flash, and Java. It used sophisticated evasion techniques to avoid detection. Its operations significantly decreased after a significant amount of its source code was leaked in 2016.

  4. Neutrino Exploit Kit

    Neutrino exploited vulnerabilities in Flash, Java, and Internet Explorer. After the decline of Angler, Neutrino's popularity surged. It had features to avoid analysis and detection.

  5. RIG Exploit Kit

    RIG is one of the more persistent EKs and has seen various versions over the years. It has delivered various payloads, from banking trojans to ransomware, and primarily targeted Internet Explorer, Flash, and Java vulnerabilities. RIG, has the drawback of basic evasion archeitcture compared to Nuclear.

  6. Sundown Exploit Kit

    Unique to Sundown was its extensive use of stolen exploits and copy-pasting from other EKs, leading some to call it a "Frankenstein" EK. Its reliance on stolen exploits it often lagged in terms of novel attack vectors.

Conclusion​

These exploit kits, while varied in their approaches and lifespans, share common limitations: well-known vulnerabilities and become far less effective when potential victims regularly update and patch their software. With Flash a thing of the past and modern browsers "sandboxing", the golden age of exploit kits has waned.

Preventative Measures​

  • Awareness Training Since phishing is a common attack vector, training users to recognize and report phishing attempts can significantly improve security.
  • Regular Patching Ensure all devices and software are regularly updated to patch known vulnerabilities.
  • Network Segmentation Employ a Zero-Trust Networking strategy.

Understanding the logic and progression of potential attacks helps in devising robust defense strategies, running red team exercises, and ensuring that the digital environment remains secure.

Social Engineering Example​

  1. Social Engineering via LinkedIn
    • LinkedIn is a professional network where trust is often given to connections. By creating fake accounts and sending out seemingly benign portfolio links, attackers exploit this trust.
    • Unsuspecting users, out of curiosity or interest, click on these portfolio links, expecting to see a person's professional work.
  2. Malicious Website and Compromise
    • Instead of a portfolio, the linked site hosts an exploit kit tailored to exploit known vulnerabilities in browsers, plugins, or operating systems.
    • When the victim lands on the site, the exploit kit attempts to compromise the device. After a successful compromise, it may display a 404 error to confuse the victim and deter further investigation.
  3. Initial Device Compromise
    • Once the device is compromised, the attacker can deploy payloads to establish persistence, exfiltrate data, or prepare for lateral movement within the network.
  4. WiFi Infection
    • This step is a bit more challenging. Infecting a Wi-Fi network typically means compromising the router or another network device. This could be achieved if the malware can exploit a vulnerability in the router, guess weak or default credentials, or use other techniques to gain control.
  5. Propagation to Other Devices
    • With control over the network router, the attacker can manipulate traffic, direct devices to malicious sites, or attempt to directly compromise other devices connected to the network.
  6. Building the Botnet
    • As devices get compromised, they can be added to the botnet. If the malware is designed to target a broad range of "stripped-down Linux kernels" (common in IoT devices), this can lead to rapid propagation, especially given the often-poor security posture of IoT devices.
  7. Stealth and Propagation
    • The more stealthy and efficient the malware, the longer it can stay undetected and continue to infect other devices. For example, it might avoid high resource usage or suspicious network activity.

ZERO-DAY exploits​

Zero-day exploits target vulnerabilities in software that are unknown to the vendor at the time of exploitation. By the nature of the term "zero-day," these vulnerabilities are particularly concerning because they give the software's vendor zero days to fix the issue before it's exploited. Over the years, many such vulnerabilities have been discovered across browsers, plugins, and operating systems.

Notable zero-day exploits:

  1. Browsers
    • Microsoft Internet Explorer Multiple zero-days have been found over the years, with one notable example from 2014 where attackers used a flaw to target U.S. defense and financial industries.
    • Google Chrome In 2019, Google reported a zero-day (CVE-2019-5786) that was under active exploitation.
    • Mozilla Firefox In 2015, a zero-day allowed attackers to take control of a user's system through an advertisement on a news site.
  2. Plugins
    • Adobe Flash Flash had a multitude of vulnerabilities, with many being zero-days. For example, in 2015, three zero-days were found in a row in a short time frame.
    • Oracle Java Java has also had its share of zero-days. A notorious one in 2013 allowed bypassing the Java sandbox completely.
  3. Operating Systems
    • Microsoft Windows Many zero-days have been found over the years across various Windows versions. A famous one is the EternalBlue exploit, which although was leaked after it was known, was exploited widely in the WannaCry and NotPetya ransomware attacks.
    • Apple macOS and iOS Both macOS and iOS have had zero-days, though less frequently than some other platforms. For instance, in 2019, Google's Project Zero discovered a series of zero-day vulnerabilities in iOS that allowed websites to install malware on iPhones without user interaction.
    • Linux While less common, Linux isn't immune to zero-days. In 2016, a zero-day was discovered that allowed local privilege escalation, dubbed "Dirty COW."
  4. Others
    • Windows SMBv3 In early 2020, a vulnerability was found in the SMBv3 protocol of Windows 10 and Server versions. While it wasn't exploited in the wild immediately after its discovery, the potential for worm-like behavior drew comparisons to the infamous WannaCry attack.
    • BlueKeep (Windows RDP) A 2019 vulnerability in Windows' Remote Desktop Protocol (RDP) which had the potential for worm-like propagation.

Zero-day​

Zero-days highlight the importance of proactive security practices, such as regular software patching and updates, as well as the use of intrusion prevention systems and advanced threat detection mechanisms. However, some hacks are unstoppable read more at Hack on how the NPO Group can Zero-day into any ios device via no user interaction.