One of the things that have been noteworthy in our recent quarterly threat roundup report, “Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks,” is the resurgence of exploit kits in 2015. Exploit kits are tools that are meant to make it easy for attackers to exploit vulnerabilities in software in order to load malware on the target’s computer.
Exploit kits aren’t new: we’ve seen this threat for a few years now. But what is notable is how widespread exploit kits have become and how aggressive their makers are in adding new vulnerabilities to them.
This is especially true for the Angler Exploit Kit which in the past two quarters has rocketed past other exploit kits in terms of its distribution and sophistication.
Angler isn’t new: as we outline in our March 2015 report “Evolution of Exploit Kits,” Angler first came on the scene in 2013. Through the first quarter of 2015, Angler was a leading exploit kit: it was part of the resurgence in exploit kit attacks that we saw in 2015 (fueled in part by the increased problems with Adobe Flash vulnerabilities). But, Angler wasn’t the top exploit kit then: it was lagging behind the Nuclear Exploit kit which was packing more attacks against vulnerabilities and was more widespread.
Starting in the second quarter of 2015, though, we saw Angler jump ahead to become the leading exploit kit. In that quarter, Angler’s creators were aggressive in adding new Adobe Flash vulnerabilities to the kit (adding 10 of 11 new Flash vulnerabilities in that quarter). In that quarter we also saw Angler’s numbers triple, accounting for 45 percent of the exploit kit-related URLs in that quarter.
The third quarter saw Angler continue to outpace other exploit kits. In this quarter, Angler Exploit Kit-related URLs jumped from 1.8 million in the second quarter to 2.4 million in this quarter. To set context, the Nuclear Exploit Kit, which was on top in the first quarter, accounted for only 476,000 exploit kit-related URLs. On a side note, Nuclear has actually dropped to No. 3, with the Magnitude Exploit Kit moving to No. 2 at 480,000 URLs.
Angler is also leading the pack in terms of incorporating attacks against vulnerabilities. As of the third quarter, Angler’s creators had incorporated attacks against 13 new vulnerabilities into the kit in 2015. Both Nuclear and Magnitude had incorporated 9 new vulnerabilities in 2015. Like other exploit kits, Angler was fast to jump on the Hacking Team leak bandwagon by incorporating Adobe Flash vulnerabilities found in the leaked data. And while this is outside the scope of our third quarter report, it’s worth noting that Angler (and Nuclear) also incorporated attacks against vulnerabilities our researchers found being used in the ongoing Pawn Storm campaign.
Angler also distinguished itself in the third quarter in terms of attacks. In July 2015, our researchers found that Angler had added point of sale (PoS) systems to its target list. While at the end of September, 3,000 high profile sites in Japan were successfully hit with an Angler malvertising attack. This attack exposed about half a million users to Angler-infected ads, at the rate of about 100,000 per day between September 3 and September 23, 2015.
Taking this all together shows that Angler has become a noteworthy and significant threat. It’s the leading exploit kit by any measure right now. And recent activity shows there’s no reason to expect that to change.
The speed with which Angler (and other exploit kits) is adding attacks against vulnerabilities also means that defensive planning needs to incorporate both an aggressive patching strategy and a zero-day attacks protection component. For Trend Micro customers, this latter means using tools like Trend Micro™ Deep Security and Trend Micro™ OfficeScan (with Vulnerability Protection) which can protect against attacks on vulnerabilities before a full patch is deployed. Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Worry-Free Business Security offer Browser Exploit Prevention that can protect against web-based attacks. And Trend Micro™ Deep Discovery’s existing Sandbox with Script Analyzer engine can help prevent many of these attacks out-of-the-box.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.