Cybercriminals are shifting their focus from Adobe to Microsoft consumer products, and are now concentrating more on targeted attacks than on web-based exploit kits.
Each year, Recorded Future provides an analysis of criminal chatter on the dark web in its Top Ten Vulnerabilities Report. It does this because it perceives a weakness in traditional vulnerability databases and scanning tools — they do not indicate which vulnerabilities are currently being exploited, nor to what extent. Reliance on vulnerability lists alone cannot say where patching and remediation efforts should be prioritized.
“We do this analysis because the sale and use of exploits is a for-profit industry,” Recorded Future’s VP of technical solutions, Scott Donnelly told SecurityWeek. This means that exploit developers have to sell their products, while other criminals have to buy them — and this leads to the chatter that Recorded Future analyzes.
“If you’re a cybercriminal trying to make money, you have to discuss it. If you hold back too much you’re not going to make any money; so, there’s a necessity for the criminals to stick their heads up a little bit — and we can take advantage of that and call out some of the big conversations.” It assumes a correlation between chatter about a vulnerability with active exploitation of that vulnerability — an assumption that common sense rather than science suggests is reasonable.
Donnelly is confident that his firm’s knowledge of and access to the dark web is statistically valid. Nation-state activity is specifically excluded from this analysis, because, he says, “If you’re a nation-state with an exploit, or if you’re a third-party supplier of exploits to a nation state, you’re less likely to talk about it in a general criminal forum.”
At the macro level, this year’s analysis highlights a move away from Adobe vulnerabilities towards Microsoft consumer product vulnerabilities. While Flash exploits have dominated earlier annual reports, seven of the top ten (including the top five) most discussed vulnerabilities are now Microsoft vulnerabilities. “As Adobe Flash Player has begun to see its usage significantly drop, this year we find that it’s a lot of Microsoft consumer products that are seeing heavy exploitation,” says Donnelly.
The three most used vulnerabilities are CVE-2017-0199 (which allows attackers to download and execute a Visual Basic script containing PowerShell commands from a malicious document), CVE-2016-0189 (which is an old Internet Explorer vulnerability that allows attackers to use an exploit kit to drop malware, such as ransomware), and CVE-2017-0022 (which enables data theft).
A second major takeaway from the analysis is that 2017 has seen a significant drop in the development of new exploit kits. “This has been noticed before,” Donnelly told SecurityWeek, “but mainly because researchers simply haven’t seen them in action. This is now evidence that the criminals themselves aren’t talking about or trying to sell that many new kits.”
In raw numbers, Recorded Future’s analysis noted 26 new kits in 2016, but only 10 new kits in 2017 (from a total list of 158 EKs). “The observed drop in exploit kit activity,” suggests Donnelly, “overlaps with the rapid decline of Flash Player usage. Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.”
At the micro level, the big takeaway from this report is the anomalous position of CVE-2017-0022. It is the third most discussed vulnerability on the dark web forums, yet in relation to just two pieces of malware: exploit kits Astrum (aka Stegano) and Neutrino. This is the lowest number of associated malware in the top ten vulnerabilities — both of the two more popular vulnerabilities are associated with ten different peices of malware. CVE-2017-0199 is associated with malware including Hancitor, Dridex and FinFisher, while CVE-2016-0189 is associated with nine different exploit kits and the Magniber ransomware.
But it’s not just in malware associations that CVE-2017-0022 is anomalous. It has a Common Vulnerability Scoring System (CVSS) rating of just 4.3. The next lowest rating in the top ten vulnerabilities is 7.6, while the top two are rated at 9.3 and 7.6. CVSS defines a 4.3 score as medium risk; and yet Recorded Future’s research shows it to be the third most exploited vulnerability, commenting, “‘In the wild’ severity does not always correlate with the Common Vulnerability Scoring System (CVSS) score.”
This is a prime example of the reason for the analysis. Security teams could check the CVSS score and conclude on this evidence alone that the vulnerability does not require expedited remediation or patching. As the third most exploited vulnerability, Recorded Future’s latest threat analysis suggests otherwise.
Boston, Mass.-based Recorded Future raised $25 million in a Series E funding round led by Insight Venture Partners in October 2017 — bringing the total funding raised to $57.9 million.