Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Flash Player Remains Main Target of Exploit Kits: Report

The most common vulnerabilities used by exploit kits in the past year affect Flash Player, Windows, Internet Explorer and Silverlight, according to a report published on Tuesday by threat intelligence firm Recorded Future.

The most common vulnerabilities used by exploit kits in the past year affect Flash Player, Windows, Internet Explorer and Silverlight, according to a report published on Tuesday by threat intelligence firm Recorded Future.

In its 2015 report, Recorded Future said Flash Player weaknesses represented eight of the top ten flaws leveraged by exploit kits. This year, Flash accounted for six of the top ten vulnerabilities.

The security firm’s analysis of 141 exploit kits showed that an Internet Explorer flaw tracked as CVE-2016-0189 was the most referenced on security blogs, deep web forum postings and dark web sites. The vulnerability was exploited in targeted attacks before Microsoft released a patch, but shortly after the fix became available, it was integrated into several major exploit kits, including Sundown, Neutrino, RIG and Magnitude.

The flaw that was adopted by the highest number of exploit kits is Flash Player’s CVE-2015-7645. The exploit has been integrated into Neutrino, Angler, Magnitude, RIG, Nuclear, Spartan and Hunter.

Researchers believe this exploit is popular because it affects all major operating systems, and it was the first weakness discovered after Adobe introduced a series of new mitigations.

The list of vulnerabilities adopted by multiple EKs also includes the Flash bugs tracked as CVE-2016-1019, CVE-2016-4117 and CVE-2015-8651, and a Silverlight flaw discovered by Kaspersky in November 2015. All of these security holes had been exploited in the wild when they were discovered.

While some of the most commonly used vulnerabilities identified in the latest report have been issued CVE identifiers in 2014 and 2015, Recorded Future noted that none of the issues mentioned in last year’s report carried over to the 2016 top 10.

Advertisement. Scroll to continue reading.

After the Angler and Nuclear exploit kits disappeared from the scene, they were replaced by Neutrino and RIG. In October, researchers noticed that Neutrino was also either shut down or its authors stopped offering it publicly, allowing RIG to take the lead.

Recorded Future pointed out that while RIG is the leader, Sundown is also increasingly popular. First spotted in April 2015, Sundown has stolen exploits from several other EKs, but it was the first to integrate an exploit for the Internet Explorer vulnerability tracked as CVE-2015-2444. While some exploit kits deliver all sorts of malware, Sundown has focused on banking Trojans.

Related: Exploit Kit Activity Down 96% Since April

Related: Exploit Kits Take Cyberattacks to the Masses. But They’re Preventable

Related: What Makes a Good Exploit Kit

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...