Eight out of the top ten vulnerabilities exploited by cybercriminals as part of phishing, exploit kits, or remote access trojan (RAT) attacks during 2018 targeted Microsoft’s software products, continuing a trend started in 2017.
As detailed in a report by Recorded Future’s Kathleen Kuczma, Microsoft continues to be the main target of malicious actors following a similarly “busy” 2017 when the top exploited vulnerabilities changed focus from Adobe’s Flash Player.
For the second year in a row, Microsoft was consistently targeted the most, with eight of the top 10 vulnerabilities impacting its products. In 2017, seven of the top 10 vulnerabilities also affected Microsoft. Conversely, the majority of 2016 and 2015’s top vulnerabilities targeted Adobe Flash Player.
While the number of new exploit kits leveraged by bad actors during the last year dropped by 50% according to the report, two of them—Fallout and LCG Kit—abused at least one of the top three most exploited 2018 vulnerabilities.
Also, despite the serious decrease in exploit kit development activity, five new ones surfaced during the last year, with Best Pack Exploit Kit, Creep Exploit Kit, Darknet Angler, Fallout Exploit Kit, and LCG Kit being detected in multiple attacks.
As discovered by Recorded Future, ThreadKit—an exploit kit first detected as part of malicious campaigns in June 2017—remained highly active and was the most discussed exploit kit on the dark web that also came with at least one of the top vulnerabilities of 2018.
“ThreadKit incorporated four of the top 10 vulnerabilities (CVE-2018-4878, CVE-2017-11882, CVE-2017-0199, and CVE-2017-8570),” said Kuczma.
While RATs were also included in Recorded Future’s new analysis of the most exploited vulnerabilities as opposed to the previous report, despite the release of 35 new RATs, Sisfader was the only one was associated with a top exploited software flaw, the CVE-2017-8750 impacting Microsoft Office.
As uncovered by Kuczma, these are the most notable and abused software flaws of last year:
• CVE-2018-8174 – the top exploited vulnerability of 2018, a Microsoft Internet Explorer vulnerability nicknamed “Double Kill,” was included in four exploit kits (RIG, Fallout, KaiXin, and Magnitude).
• CVE-2018-4878 – the second most exploited and the only Adobe Flash Player vulnerability on this year’s top 10, was included in multiple exploit kits, most notably the Fallout exploit kit, which was used to distribute GandCrab ransomware.
• CVE-2016-0189 – made the top 10 vulnerability list three years in a row, a Microsoft Internet Explorer flaw with no mitigating factors, incorporated into a variety of various exploit kits over the years, as many as five in 2018 (Underminer, Magnitude, Grandsoft, KaiXin, and RIG)
• CVE-2017-11882 and CVE-2017-0199 – associated with 10 and eight pieces of malware, respectively. Both were used in Trillium’s Security Multisploit Tool, which included four of the top 10 vulnerabilities.
Recorded Future analyzed the activity of 167 exploit kits and of 429 RATs throughout 2018 to be able to discover the top exploited and references vulnerabilities of the previous year.
Despite their increase in usage, ETERNALBLUE and Spectre/Meltdown were not included in the top because they were used mainly by state actors, seldom making an appearance in malicious campaigns coordinated by criminal underground actors.
Also, while the analysis is based on “metadata analysis of available information from open, deep, and dark web sources, Recorded Future did not reverse-engineer any malware mentioned in this piece. Instead, the aim of this report is to showcase the most exploited vulnerabilities.”