Top security flaws move to Microsoft from Adobe

News by Rene Millman

Hackers more likely to use cryptocurrency mining malware than an exploit kit, report says. Malware campaigns have shifted focus onto Microsoft and cryptocurrency mining rather than using flaws in Adobe Flash and exploit kits.

Malware campaigns have shifted focus onto Microsoft and cryptocurrency mining rather than using flaws in Adobe Flash and exploit kits, according to a new report.

Recorded Future has published its third annual report on “The Top 10 Vulnerabilities Used by Cyber-criminals”. Its research found a shift in preference from Adobe to Microsoft consumer product exploits. Criminal exploit kits and phishing campaigns favoured Microsoft products in 2017, with seven of the top 10 vulnerabilities exploited by phishing attacks and exploit kits utilising Microsoft products. It added this was in stark contrast to its previous rankings, which saw consistent exploitation of Adobe Flash vulnerabilities.

However, the analysis identified Adobe as a still popular but declining avenue of attack, with the remaining three vulnerabilities tied to the aging Flash Player. It added that some of this change is due to evolving criminal use of exploited vulnerabilities. 

“Overall, exploit kits are declining as criminal efforts have adapted. This comes as cryptocurrency mining malware popularity rose in the past year. Profiting from cryptocurrency mining has its advantages, including less time spent on collecting victim ransomware payments and the avoidance of rising Bitcoin transaction fees,” said the report's authors.

In 2017, exploit kits saw a 62 percent decline in development. Only a few exploit kits, including AKBuilder (Intel Card), Disdain (Intel Card), and Terror (Intel Card) saw significant activity. Multiple factors, including more specific victim targeting, shifts to more secure browsers, and a rise in cryptocurrency mining malware likely led to the decline.

The report said that the adoption of browsers, such as Chrome, whose default is “click to play” settings for Flash, have limited the impact of many Adobe Flash Player vulnerabilities used by criminals.

“In 2014, 80 percent of desktop Chrome users visited a site with Flash each day, per Google reporting. By July 2017 this number was 17 per cent and on the decline. Interestingly, Facebook was the top site with Flash usage by percentage of volume of internet traffic as of late 2017. It was also the top site where users enabled Flash to run,” said the report.

Scott Donnelly, vice president of Technical Solutions at Recorded Future said the observed drop in exploit kit activity overlaps with the rapid decline of Flash Player usage. 

“Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void,” he said.

The report added that dark web forums and marketplaces continued to offer high and low-quality exploit kit options, with prices ranging from US$ 80 (£56) per day for services, to US$ 25,000 (£17,735) for full source-code access.

Bill Lummis, technical programme manager at HackerOne, told SC Media UK that one of the big things criminals look for when picking what exploits to use is ubiquity, because you want to have an exploit that works on the highest percentage of your targets possible. 

“For a long time Flash was installed essentially everywhere, which is a big part of why it was such an attractive target. With Adobe killing Flash, that's becoming less true, so with Microsoft's market share they're a logical target to increase,” he said.

Mark St John, VP of Threat Analytics Services at Cyxtera, told SC Media UK that to protect against a wide variety of client-side exploits, exploit kits, cryptominers and other unknown malware, companies should consider implementing as many safeguards as is practical to increase the potential for detection and mitigation.  

“In many cases, these attacks take advantage of vulnerabilities that should be resolved by vendor updates. A diligent patch management programme is a requirement in today's threat landscape. Additionally, companies need to ensure computer and network data is collected, monitored and analysed to identify and respond to threats in their environment,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews