Exploit kit (EK) activity has been on the decline ever since Angler Exploit Kit was shut down in 2016—but at least one, the Neptune EK, is alive and well—and driving major malvertising campaigns. Unfortunately, this indicates a poor patch management posture across the board.
According to FireEye, Neptune (aka Terror EK) initially started as a Sundown EK copycat operation and has relied heavily on malvertisements from the beginning, often dropping cryptocurrency miners. In its latest campaign, it abuses a legitimate popup ad service (within Alexa’s top 100) with redirects to ads about hiking clubs. The fake domains involved in these redirects imitate real domains, and are hard for the victims to identify as fraudulent.
Redirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages, which in turn redirect to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim’s machine. The EK exploits multiple vulnerabilities in one run, namely, three Internet Explorer exploits and two Flash exploits.
Most of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites, FireEye noted.
“Despite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software,” FireEye researchers noted, in a blog. “This threat is especially dangerous considering that drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.”
Fewer people using Internet Explorer and a drop in browser support for Adobe Flash—two primary targets of many exploit kits—have contributed to the decline in EK use. However, Neptune’s continued success rests largely with the fact that patch management and getting end users and organizations to promptly apply patches for their critical applications remains a challenge.
One indicator of this can be seen by looking at EK vulnerability integration, which is the addition of exploit code within the exploit kit that targets various known vulnerabilities, which are usually tracked with CVE identifiers.
“Activity is not the only exploit kit characteristic that has been decreasing lately,” said Lane Thames, senior security researcher at Tripwire, via email. “Vulnerability integration, aka CVE integration, within the few exploit kits that are still active, has also decreased significantly within the last one to one-and-a-half years.”
“Lately, security researchers have provided numerous theories describing reasons for decreased exploit kit activity,” he added. “It’s an interesting thought experiment. Regardless of the real reasons, what we do know is that some exploit kits are still active, yet they continue to capitalize on older vulnerabilities for which patches have been available for months, if not years. This implies that there is no need to improve exploit kit success rates via the integration of exploit code for newly released vulnerabilities because older exploit code still works effectively. Hence, the reason we don’t see very much new integration.”
Besides ensuring appropriate patching of software, users can protect themselves from exploit kit-based attacks by using caution when clicking on hyperlinks, especially those that come in via email. Social engineering and phishing attacks are the most successful drivers of exploit kit-based attacks, Thames said.