The Crimepack exploit kit console (courtesy of a Qualys demo installation) that reveals stats per exploit and stats per OS.
Getting jiggy with IT: Exploit kits in action
Simon Leech, director for HP's enterprise security arm in Europe, the Middle East and Africa (EMEA), has insight into how a successful exploit kit works in the real world, typically combining any number of exploits that focus upon on both known and unknown (zero day) vulnerabilities together with a method of wrapping these all up into a single executable.
The user chooses the platform he is aiming to exploit, such as a PDF reader vulnerability or a web browser client vulnerability. The exploit kit will then handle the attack distribution as well as monitor its success rate. "The more effective exploit kits will be provided with updates from the vendor, much like the way AV vendors update their signature set," Leech says. "The kit writers will monitor the success of various exploits, and once they see the success rates dropping, they will add additional new exploits to the portfolio."
Importantly, exploit kits are also being used as just one of the 'stepping stones' in multi-vector attacks. "Whilst using an exploit kit as part of an email campaign is fairly simple to set up, attackers wishing to use their exploit on a website will first have to compromise the website they wish to infect, and then try and hide the exploit kit in the website code," Leech adds. "A couple of years ago, when version 1.0 of Blackhole was at its prime, we saw a number of high profile sites, including those belonging to USPS and MySQL, being hacked and configured to serve up Blackhole pages in an attempt to infect their visitors with various malware."
The consumerisation of cyber crime
Exploit kits are considered to be very much a consumer product on the dark market, the online underground consisting of forums and sites where hackers and cybercriminals buy and sell stolen data and the tools of their trade.
And, as Sharf explains, the popularity of one kit over another depends on the feature set it supports, the update frequency and ultimately the price.
"A recent example includes the numerous Java vulnerabilities that the Websense Security Labs discovered in January 2013 - notably the new Java zero day vulnerability (CVE-2013-0422) that was added to exploit kits and was actively being exploited in the wild," Sharf says.
"The kits identified as using this particular zero day code were Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack. In the same month a new version of the infamous Blackhole Exploit Kit, by far the most popular web-based exploit kit in the underground market to date, was released."
The advertisement for the new version of Blackhole was posted on an underground forum, as is often the case when new exploit kit versions are rolled out by their authors. What's more, it was written in Russian ready for cyber criminals to use off the shelf...
Mitigating the risk
This just leaves us with the somewhat obvious, but big, question: how can your enterprise best mitigate the risks posed by exploit kits and protect against their use? Ross Parsell - who has responsibility for the Government and Commercial sector at Thales, the UK's second largest defence electronics supplier - suggests that in this era of connected devices and un-trusted locations the enterprise will get the best results by looking at the bigger picture. As such, Parsell suggests the following four step risk mitigation and protection plan:
1. Assessment
The first step is to mitigate the risk. This should be a two pronged approach starting with assessing what your vulnerabilities are and then by performing penetration tests. These tests seek to display what could be leveraged by an attacker as a result of missing operating system patches, mis-configured web servers or web applications. In identifying what vulnerabilities lie within a particular infrastructure or web application that could easily be exploited by attackers, companies have already erected a first line of defence.
Once the exploitable vulnerability points of entry are identified, an attempt to gain access to the system or web application will be made in order to obtain evidence of compromise, which may be the result of a single vulnerability or by multiple interconnected vulnerabilities."
