The definition and the examples of exploitation

(MENAFN- ChatterBox PR & Events) The definition and examples of exploit kits
By- Aamir Lakhani, Global Security Strategist and Researcher at Fortinet.

In cybersecurity terminology, an exploit is a piece of code or program that takes advantage of vulnerabilities or flaws in software or hardware. An exploit is not malware, but rather a way to deliver malware such as ransomware or viruses. The purpose of exploits is to install malware or infiltrate and launch denial of service (DoS) attacks for example.
The recent exponential growth in computing devices, software advancements, and edge and cloud computing has resulted in a corresponding increase in vulnerabilities. Of course, cybercriminals like having more systems to attack with exploit kits.
What is an exploit kit?
Exploit kits (EK) are automated programs used by cybercriminals to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they are browsing the web. After targeting a potential victim’s vulnerabilities, attackers can download and execute the malware of their choice.
Review of how exploit kits work
Exploit kits work silently and automatically as they seek to identify vulnerabilities on a user’s machine while browsing the web. Currently, exploit kits are the preferred method for mass distribution of remote access tools (RATs) or malware by cybercriminals, especially those looking to make financial profit from an exploit.
EKs do not require victims to download any file or attachment. The victim simply navigates to a compromised website, and then that site extracts hidden code that attacks vulnerabilities in the user’s browser.
Events that must occur for an exploit kit attack to succeed include:
• Target a compromised website, which will stealthily divert web traffic to another landing page
• Execution of malware on a host, using a vulnerable application as a gateway
• Send payload to infect host, when exploit succeeds
Examples of exploit kits
Below is a list of exploit kits that have been used by cybercriminals in the past:
Sinner
In the mid-2010s, Angler was one of the most powerful and frequently used EKs that enabled zero-day attacks on Flash, Java, and Silverlight. According to The Register, “At its… peak, authors [of the Angler] were responsible for a whopping 40% of all exploit kit infections compromising nearly 100,000 websites and tens of millions of users, generating some $34 million a year.
Black hole
The origins of the Blackhole exploit kit date back to 2010. It was apparently cybercriminals’ favorite tool to execute drive-by downloads for more than three years until its perpetrator was arrested in 2013. After finding a site web that could be exploited, cybercriminals installed the Blackhole exploit kit and exposed visitors to Blackhole-powered attacks. The exploit kit then downloaded malware (often ransomware) onto visitors’ PCs, taking advantage of any browser, Java, or Adobe Flash plug-in vulnerabilities it found.
Party
In 2014, the Fiesta exploit kit gained popularity after the Blackhole exploit kit declined due to its source code being leaked and its founder being arrested. Like previous EKs, Fiesta worked by compromising a vulnerable website. Once the website was compromised, visitors were redirected to Fiesta’s homepage controlled by cybercriminals. Then, different exploits based on the characteristics of the computer were uploaded.
flash pack
The Flashpack exploit kit was also popular with cybercriminals in 2014 when campaigns abused ad networks. Flashpack EK has been used to distribute various malware, including Zeus information-stealing malware, Dofoil Trojan, and Cryptowall ransomware.
Researchers found that Flashpack EK uses free advertisements to spread threats. One example: when users landed on a website that delivered malicious advertisements (malvertising), they were taken through multiple redirects to a Flashpack exploit kit page that delivered ransomware.
GrandSoft
GrandSoft exploit kit was another malware-based threat that redirected unsuspecting users and installed password-stealing trojans, ransomware and clipboard hijackers on their machines. In 2019, GrandSoft EK was pushing Ramnit banking trojan that attempted to steal victims’ saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more.
Han-Juan
In 2015, the HanJuan exploit kit was popular and helped cybercriminals facilitate malvertising attacks. It used fake advertisements and shortened URLs to trick users into landing on a web page containing a HanJuan EK targeting vulnerabilities in Adobe Flash Player (CVE-2015-0359) and Internet Explorer browser (CVE-2014-1776 ).
hunter
Another exploit kit that was popular in 2015 with cybercriminals was the Hunter EK, which initially targeted Brazilians via a phishing email. When the victim’s machine was hacked, a variant of a Brazilian banking Trojan generically known as “Bancos” was launched. It was a Brazilian banking trojan that used man-in-the-browser (MITB) techniques to steal banking credentials and other financial information.
Magnitude
The Magnitude exploit kit, like other EKs, is a framework hosted by malicious actors to target browser vulnerabilities, especially for Internet Explorer. Because IE’s popularity has changed, Magnitude exploit kits that target Microsoft’s browser have been much less active. Yet, as recently as 2019, cybercriminals were using Magnitude EK in specific geographic regions where IE had a significant market share, such as South Korea.
In fall 2021, SecurityWeek reported that Magnitude EK was “active” after “adding exploits for CVE-2021-21224 and CVE-2021-31956 to its arsenal”.
Neutrinos
According to the Bank Info Security website, the Neutrino EK was “at one time [2016] ranked as one of the most popular exploit kits in the world. Also known as exploit packs, these tools allow anyone – no coding experience required – to launch large-scale campaigns designed to infect massive amounts of PCs with malware, turning them into nodes “zombies” in a botnet.
Nuclear
The nuclear exploit kit was another favorite of cybercriminals in the mid-2010s. According to an April 2016 Ars Technica article, Nuclear EK had “a sophisticated multi-tiered server architecture, with a single master server providing automatic updates to “console” servers – the systems used by paying customers to access and customize their particular paid attack packages. . These console servers in turn maintain a rotating stock of landing pages delivered via malicious links, exploited web pages and malicious advertisements.
PLATFORM
In a November 2016 article on ThreatPost, the author states that at the time, “the most prolific exploit kit was RIG, which filled a void left by the departure of Angler, Neutrino, and Nuclear “. The post goes on to describe the “unique” way in which “the RIG exploit kit combines different web technologies such as DoSWF, JavaScript, Flash, and VBscript to obfuscate attacks.” Threat researchers add that “an RIG attack is a three-pronged attack strategy that leverages JavaScript, Flash, VBscript-based attacks as needed.”
Sleep
In late 2016, SecurityWeek published an article on its website about the Sundown exploit kit which used “a technique called steganography to hide its exploits in innocuous-looking image files”. The practice of hiding information in a file is at this time becoming “increasingly used by malicious actors, including malvertisement campaigns”.
Analysis of Sundown EK incursions revealed that attackers were using PNG images to conceal various exploits, including those targeting vulnerabilities in Internet Explorer and Flash Player.
sweet orange
The Sweet Orange exploit kit was also popular with criminals in the mid-2010s. It targeted Windows operating systems Windows 8.1 and Windows 7 as well as Internet Explorer, Firefox, and Google Chrome web browsers. The authors of Sweet Orange EK attempted to block the security community from accessing the kit’s source code. To do this, they have restricted the posts on cybercrime-friendly web communities and sold the kit only to those with a reputation as a cybercriminal.
Learn more about the story
Today, older kits have been leaked and are publicly available. Attackers have taken these older kits and modified them to make them more resistant to new security detection strategies. Additionally, many of these kits are advertised for sale online. The attackers offer these kits for rent on these sites and offer support and update contracts to ensure that they work against future updates.
What should you do?
o Protect your endpoints: Advanced and automated endpoint protection, detection and response.
o Web Security: Protection against web threats hidden in encrypted or unencrypted traffic.
o Internal Segmentation: Segment network and infrastructure assets regardless of location, on-premises or across multiple clouds.
o Zero Trust Access: As users continue to work from anywhere and IoT devices flood networks and operational environments, continuous verification of all users and devices as they access enterprise applications and data business is needed.

MENAFN31012022002982009219ID1103616088

Legal disclaimer: MENAFN provides the information “as is” without warranty of any kind. We assume no responsibility for the accuracy, content, images, videos, licensing, completeness, legality or reliability of any information in this article. If you have any complaints or copyright issues related to this article, please contact the provider above.


Source link

Comments are closed.