Unpatched Microsoft bugs come out on top
Old security vulnerabilities continue to be leveraged in exploit kits being sold by criminals on the dark web, as organizations struggle to prioritize their mitigation response and keep up with a never-ending list of patch updates.
In its third annual vulnerability report, released today, Recorded Future said that the number of new exploit kits was decreasing, with criminals increasingly relying on dated vulnerabilities, predominately found in Microsoft products.
The majority of exploited vulnerabilities in 2018 targeted Microsoft, marking a change from the use of malicious programs, phishing attacks, and remote access trojans typically aimed at leveraging Adobe product flaws.
“Eight out of 10 vulnerabilities are Microsoft products, because they’re ubiquitously deployed,” Allan Liska, senior solutions architect at Recorded Future, told The Daily Swig.
“If you’re trying to target an organization, rather than a home user, you’re more likely to find a Microsoft product since we primarily see these in corporate environments.”
Liska added that the shift towards utilizing Microsoft vulnerabilities in exploit kits reflected an “ongoing professionalisation” of underground markets, both through the adoption of the CVE nomenclature and the minimal use of exploits in soon-to-be-retired software such as Adobe Flash.
“The most common vulnerabilities are from 2017 and 2016 because those still work,” said Liska. “So, if your attacks against Internet Explorer stop working, you’ll add another one. You don’t add one unless you absolutely have to.”
Dynamic risk assessment
The top exploited vulnerability was CVE-2018-8174, which featured in 567 exploit kits, and allocated a severity rating of 89, according to Recorded Future’s risk score.
“The problem with the standard CVE score is that it’s static,” Liska said. “A [Recorded Future] risk score is much more dynamic, a number of factors go into that, and it rises and falls depending on how much we see the exploit being used.”
CVE-2018-8174, a remote code execution (RCE) bug that impacted Internet Explorer, was given a score of 89 due to its prevalence in a variety of exploit kits and trojans.
“It’s also relatively easy to exploit,” Liska said. “But as more people start patching their Internet Explorer, it [CVE-2018-8174] becomes less effective in an exploit kit because criminals aren’t going to start putting in exploits that don’t work. So our risk score will drop off.”
The second most detected vulnerability was CVE-2018-4878, and the only one on the list affecting Adobe products – in this case, Flash Player.
The use-after-free bug was included, most notably, in the Fallout Exploit Kit, used to deliver GandCrab ransomware throughout 2018, Recorded Future said.
This was followed by CVE-2017-11882, a memory corruption vulnerability affecting Microsoft Office, seen in 223 exploit kits.
The rest of the list, Liska explained, was dedicated to other Microsoft vulnerabilities, with the exception of CVE-2015-1805 – a critical vulnerability allowing root access to Android phones.
Mac-specific malware, having increased by 270% between 2017 and 2016, according to Malwarebytes, is expected to become more prominent in tools used by criminals in the years to come.
“We’re seeing the higher end groups to start to figure out how to monetize Mac exploits,” said Liska. “They’re not necessarily easy to deploy because of the underlying operating system, so even if you can exploit Safari, you can’t easily replicate it in an exploit kit.
Liska added: “I think in three to five years we’ll see more commoditized Mac malware.”
Recorded Future’s top 10 most exploited vulnerabilities hopes to help individuals and organizations prioritize how they patch their systems. See the full-list below:
CVE-2018-8174 – RCE vulnerability affecting Microsoft VBScript Engine, impacting Windows and Windows Server, found in 567 exploit kits
CVE-2018-4878 – Use-after-free bug affecting Adobe Flash Player, found in 387 exploit kits
CVE-2017-11882 – Memory corruption vulnerability affecting Microsoft Office that can lead to RCE, found in 223 exploit kits
CVE-2017-8750 – Memory corruption vulnerability affecting Microsoft browsers that can lead to RCE, found in 192 exploit kits
CVE-2017-0199 – Microsoft Office/WordPad RCE vulnerability, found in 91 exploit kits
CVE-2016-0189 – Microsoft scripting engine memory corruption vulnerability impacting Internet Explorer, found in 78 exploit kits
CVE-2017-8570 – Microsoft Office RCE, found in 68 exploit kits
CVE-2018-8373 – Scripting engine memory corruption vulnerability in Microsoft, found in 66 exploit kits
CVE-2012-0158 – Buffer overflow vulnerability in Microsoft, found in 55 exploit kits
CVE-2015-1805 – Privilege escalation flaw affecting Android OS, found in 49 exploit kits