Security Experts:

Flash Player Remains Main Target of Exploit Kits: Report

The most common vulnerabilities used by exploit kits in the past year affect Flash Player, Windows, Internet Explorer and Silverlight, according to a report published on Tuesday by threat intelligence firm Recorded Future.

In its 2015 report, Recorded Future said Flash Player weaknesses represented eight of the top ten flaws leveraged by exploit kits. This year, Flash accounted for six of the top ten vulnerabilities.

The security firm’s analysis of 141 exploit kits showed that an Internet Explorer flaw tracked as CVE-2016-0189 was the most referenced on security blogs, deep web forum postings and dark web sites. The vulnerability was exploited in targeted attacks before Microsoft released a patch, but shortly after the fix became available, it was integrated into several major exploit kits, including Sundown, Neutrino, RIG and Magnitude.

The flaw that was adopted by the highest number of exploit kits is Flash Player’s CVE-2015-7645. The exploit has been integrated into Neutrino, Angler, Magnitude, RIG, Nuclear, Spartan and Hunter.

Researchers believe this exploit is popular because it affects all major operating systems, and it was the first weakness discovered after Adobe introduced a series of new mitigations.

The list of vulnerabilities adopted by multiple EKs also includes the Flash bugs tracked as CVE-2016-1019, CVE-2016-4117 and CVE-2015-8651, and a Silverlight flaw discovered by Kaspersky in November 2015. All of these security holes had been exploited in the wild when they were discovered.

While some of the most commonly used vulnerabilities identified in the latest report have been issued CVE identifiers in 2014 and 2015, Recorded Future noted that none of the issues mentioned in last year’s report carried over to the 2016 top 10.

After the Angler and Nuclear exploit kits disappeared from the scene, they were replaced by Neutrino and RIG. In October, researchers noticed that Neutrino was also either shut down or its authors stopped offering it publicly, allowing RIG to take the lead.

Recorded Future pointed out that while RIG is the leader, Sundown is also increasingly popular. First spotted in April 2015, Sundown has stolen exploits from several other EKs, but it was the first to integrate an exploit for the Internet Explorer vulnerability tracked as CVE-2015-2444. While some exploit kits deliver all sorts of malware, Sundown has focused on banking Trojans.

Related: Exploit Kit Activity Down 96% Since April

Related: Exploit Kits Take Cyberattacks to the Masses. But They're Preventable

Related: What Makes a Good Exploit Kit

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.