Cyber crime: Exploit kits in the enterprise

Cyber crime is big business and exploit kits represent one of the most critical security challenges facing the enterprise today...

Security exploits

The Crimepack exploit kit console (courtesy of a Qualys demo installation) that reveals stats per exploit and stats per OS.

Getting jiggy with IT: Exploit kits in action

Simon Leech, director for HP's enterprise security arm in Europe, the Middle East and Africa (EMEA), has insight into how a successful exploit kit works in the real world, typically combining any number of exploits that focus upon on both known and unknown (zero day) vulnerabilities together with a method of wrapping these all up into a single executable.

Advertisement - Article continues below

The user chooses the platform he is aiming to exploit, such as a PDF reader vulnerability or a web browser client vulnerability. The exploit kit will then handle the attack distribution as well as monitor its success rate. "The more effective exploit kits will be provided with updates from the vendor, much like the way AV vendors update their signature set," Leech says. "The kit writers will monitor the success of various exploits, and once they see the success rates dropping, they will add additional new exploits to the portfolio."

Importantly, exploit kits are also being used as just one of the 'stepping stones' in multi-vector attacks. "Whilst using an exploit kit as part of an email campaign is fairly simple to set up, attackers wishing to use their exploit on a website will first have to compromise the website they wish to infect, and then try and hide the exploit kit in the website code," Leech adds. "A couple of years ago, when version 1.0 of Blackhole was at its prime, we saw a number of high profile sites, including those belonging to USPS and MySQL, being hacked and configured to serve up Blackhole pages in an attempt to infect their visitors with various malware."

Advertisement - Article continues below
Advertisement - Article continues below

The consumerisation of cyber crime

Exploit kits are considered to be very much a consumer product on the dark market, the online underground consisting of forums and sites where hackers and cybercriminals buy and sell stolen data and the tools of their trade.

And, as Sharf explains, the popularity of one kit over another depends on the feature set it supports, the update frequency and ultimately the price.

"A recent example includes the numerous Java vulnerabilities that the Websense Security Labs discovered in January 2013 - notably the new Java zero day vulnerability (CVE-2013-0422) that was added to exploit kits and was actively being exploited in the wild," Sharf says.

"The kits identified as using this particular zero day code were Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack. In the same month a new version of the infamous Blackhole Exploit Kit, by far the most popular web-based exploit kit in the underground market to date, was released."

Advertisement - Article continues below

The advertisement for the new version of Blackhole was posted on an underground forum, as is often the case when new exploit kit versions are rolled out by their authors. What's more, it was written in Russian ready for cyber criminals to use off the shelf...

Mitigating the risk

This just leaves us with the somewhat obvious, but big, question: how can your enterprise best mitigate the risks posed by exploit kits and protect against their use? Ross Parsell - who has responsibility for the Government and Commercial sector at Thales, the UK's second largest defence electronics supplier - suggests that in this era of connected devices and un-trusted locations the enterprise will get the best results by looking at the bigger picture. As such, Parsell suggests the following four step risk mitigation and protection plan:

1. Assessment

The first step is to mitigate the risk. This should be a two pronged approach starting with assessing what your vulnerabilities are and then by performing penetration tests. These tests seek to display what could be leveraged by an attacker as a result of missing operating system patches, mis-configured web servers or web applications. In identifying what vulnerabilities lie within a particular infrastructure or web application that could easily be exploited by attackers, companies have already erected a first line of defence.

Once the exploitable vulnerability points of entry are identified, an attempt to gain access to the system or web application will be made in order to obtain evidence of compromise, which may be the result of a single vulnerability or by multiple interconnected vulnerabilities."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now

Most Popular


How to find RAM speed, size and type

24 Jun 2020
Policy & legislation

UK gov buys "wrong" satellites in £500m blunder

29 Jun 2020

The top 12 password-cracking techniques used by hackers

12 Jun 2020