Posted May 19, 2016
By: Michael Perry
The demand for threat intelligence has given rise to many companies publishing their findings on new or zero-day vulnerabilities to the public. While collaboration and information sharing are highly discussed topics right now, could disclosing the specifics of these exploits do more harm than good? Disclosing findings outside of secure communications with vendors opens that information up to threat actors who can review that data against their own methodology. This is a double edge sword of helping end users to secure against a vulnerability while also aiding threat actors in refining their practice.
Typically, disclosures describe the tactics, techniques, and procedures (TTPs) of actors deploying the malware, and also reveal how the malware itself works. While discussing TTPs in a public setting can display thought leadership, more often than not it works to alert an adversary. This can give malware developers advanced notice that their software is compromised, which leads to the modification and re-invigoration of the malicious software.
Other issues can include copycat actors incorporating disclosed TTPs into less sophisticated but emerging malware, as well as the enablement of false flag operations. This is when a group claims to be the threat actor behind a certain capability, which was common in a recent surge in DDoS extortion threats in 2015 and 2016. TTP awareness, false flag operations, and copycat actors explain why we frequently see new versions or families of malware within days of public disclosures.
In 2014, 7,946 common vulnerabilities and exposures (CVEs) were publicly disclosed. Ten of these CVEs were identified as integrated into active exploit kits (EKs or eKits). Current active exploit kits include: Angler, Archie, Astrum, Bleeding Life, CkVip, Dotkachef, Fiesta, Flash, GongDa, Hanjuan, Hunter, Infinty, LightsOut, Magnitude, Neutrino, Niteris, Nuclean, Nuclear 3.x, NullHole, Rig, Sednit, Spartan, Styx, and SweetOrange. More have likely been integrated, though security researchers continue to chase newly identified CVEs.
In 2015, 6,419 CVEs were publicly disclosed. However, security researchers definitively identified 16 CVEs as integrated into active eKits. For example, Neutrino EK (NEK) version 3.0 incorporated techniques that were first observed in Angler and the two frequently added exploits within days of each other. This suggests the author or authors of NEK could have copied Angler.
The 2014-2015 year-over-year trend of CVEs integrated into eKits indicates vulnerabilities associated with Adobe Flash comprise the bulk of exploits in the wild. The LookingGlass Special Investigations Unit (SIU) notes that exploits associated with Internet Explorer and Microsoft Silverlight were also integrated, but to a much lesser degree. We believe the accelerated trend from Flash exploits is due to evolving threat actor TTPs, ubiquitous usage of the software, and beleaguering security update pace for end users (individual and institutional).
The selected CVEs tend to focus on taking advantage of patching insufficiencies. By focusing on a variety of threat vectors within Flash, adversaries seek exposure to the widest base of attackable end users as possible at any given time. The choice is based on the simple premise of widest distribution and exposure to maximize potential reach. Hypothetically, if 100 people use Flash and an adversary has 15 different Flash exploits, probability then favors the adversary rather than the end user. Only the end user with the most sophisticated patching regimen stands a chance to withstand attack.
The above chart shows the growth of publicly disclosed CVEs integrated into active eKits over a one-year period. While 16 integrated CVEs may not seem large given the total of 6,419 publicly disclosed CVEs in 2015, this number has bigger implications.
From 2014 to 2015, there was a 60 percent increase in the total number of discovered integrated vulnerabilities. This rise in exploits and accelerated pace of integration despite a reduced vulnerability landscape points to threat actors getting better at refining and upgrading exploit kits. At the same time, malware for hire coders continue to update their products with found exploits.
Over the last year, the LookingGlass SIU leveraged a blend of open-source and proprietary toolsets and uncovered instances of publicly disclosed security vulnerabilities reported to software vendors that may have been appropriated by malicious actors for eKit integration. While this phenomenon is not new, it is greatly underreported. SIU discovered this for CVE-2015-0318. Security researchers published details on the exploit in November 2014. By February 2015, the CVE was documented as patchable, but later in the month reports circulated that it was being exploited in the wild.
While not directly related to an eKit, this is indicative of a trend that has become more prominent; malicious actors seeking publicly disclosed exploitable source code to facilitate the innovation of their products. An even more recent example was reported on January 27, 2016. In that case, a malicious actor attempted to extort a security researcher who posted code on Github.com for ‘educational’ reasons.
Malware developers increasingly run operations from a corporate model rather than that of a sole proprietorship. With more money bringing more expertise to the business, refining the product has become a daily goal rather than the machinations of a single hooded user behind a Guy Fawkes mask, as the media would portray. Given the evolving trend, SIU wonders if software vendors should consider a policy of disclosing vulnerabilities sometime after end users have had an opportunity to patch; more of a whistleblower approach rather than airing one’s dirty coding for all to see.
LookingGlass anticipates a busy year for CVEs and exploit kit innovation. Given the trend of accelerated eKit integration and poached research code, eKit growth could continue on an accelerated trajectory, or at least stay within the 2014-2015 numbers.
We recommend patching on a regular basis and investing the time in researching best practices to avoid becoming victim to eKits and malicious actors. Some best practices include:
- Cybersecurity awareness training
- Avoid clicking on unsolicited links or pop-ups, or opening unsolicited emails (even emails from “family” and “friends” may contain malicious links)
- Keep software, antivirus definitions, and operating systems up-to-date
- Perform routine, non-local, non-network backups
- Enable ad-blocking extensions in browsers to help prevent infections from malvertising