IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cyber crime: Exploit kits in the enterprise

Cyber crime is big business and exploit kits represent one of the most critical security challenges facing the enterprise today...

The Crimepack exploit kit console (courtesy of a Qualys demo installation) that reveals stats per exploit and stats per OS.

Getting jiggy with IT: Exploit kits in action

Simon Leech, director for HP's enterprise security arm in Europe, the Middle East and Africa (EMEA), has insight into how a successful exploit kit works in the real world, typically combining any number of exploits that focus upon on both known and unknown (zero day) vulnerabilities together with a method of wrapping these all up into a single executable.

The user chooses the platform he is aiming to exploit, such as a PDF reader vulnerability or a web browser client vulnerability. The exploit kit will then handle the attack distribution as well as monitor its success rate. "The more effective exploit kits will be provided with updates from the vendor, much like the way AV vendors update their signature set," Leech says. "The kit writers will monitor the success of various exploits, and once they see the success rates dropping, they will add additional new exploits to the portfolio."

Importantly, exploit kits are also being used as just one of the 'stepping stones' in multi-vector attacks. "Whilst using an exploit kit as part of an email campaign is fairly simple to set up, attackers wishing to use their exploit on a website will first have to compromise the website they wish to infect, and then try and hide the exploit kit in the website code," Leech adds. "A couple of years ago, when version 1.0 of Blackhole was at its prime, we saw a number of high profile sites, including those belonging to USPS and MySQL, being hacked and configured to serve up Blackhole pages in an attempt to infect their visitors with various malware."

The consumerisation of cyber crime

Exploit kits are considered to be very much a consumer product on the dark market, the online underground consisting of forums and sites where hackers and cybercriminals buy and sell stolen data and the tools of their trade.

And, as Sharf explains, the popularity of one kit over another depends on the feature set it supports, the update frequency and ultimately the price.

"A recent example includes the numerous Java vulnerabilities that the Websense Security Labs discovered in January 2013 - notably the new Java zero day vulnerability (CVE-2013-0422) that was added to exploit kits and was actively being exploited in the wild," Sharf says.

"The kits identified as using this particular zero day code were Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack. In the same month a new version of the infamous Blackhole Exploit Kit, by far the most popular web-based exploit kit in the underground market to date, was released."

The advertisement for the new version of Blackhole was posted on an underground forum, as is often the case when new exploit kit versions are rolled out by their authors. What's more, it was written in Russian ready for cyber criminals to use off the shelf...

Mitigating the risk

This just leaves us with the somewhat obvious, but big, question: how can your enterprise best mitigate the risks posed by exploit kits and protect against their use? Ross Parsell - who has responsibility for the Government and Commercial sector at Thales, the UK's second largest defence electronics supplier - suggests that in this era of connected devices and un-trusted locations the enterprise will get the best results by looking at the bigger picture. As such, Parsell suggests the following four step risk mitigation and protection plan:

1. Assessment

The first step is to mitigate the risk. This should be a two pronged approach starting with assessing what your vulnerabilities are and then by performing penetration tests. These tests seek to display what could be leveraged by an attacker as a result of missing operating system patches, mis-configured web servers or web applications. In identifying what vulnerabilities lie within a particular infrastructure or web application that could easily be exploited by attackers, companies have already erected a first line of defence.

Once the exploitable vulnerability points of entry are identified, an attempt to gain access to the system or web application will be made in order to obtain evidence of compromise, which may be the result of a single vulnerability or by multiple interconnected vulnerabilities."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022