Cyber crime: Exploit kits in the enterprise

The Crimepack exploit kit console (courtesy of a Qualys demo installation) that reveals stats per exploit and stats per OS.

Getting jiggy with IT: Exploit kits in action

Simon Leech, director for HP's enterprise security arm in Europe, the Middle East and Africa (EMEA), has insight into how a successful exploit kit works in the real world, typically combining any number of exploits that focus upon on both known and unknown (zero day) vulnerabilities together with a method of wrapping these all up into a single executable.

The user chooses the platform he is aiming to exploit, such as a PDF reader vulnerability or a web browser client vulnerability. The exploit kit will then handle the attack distribution as well as monitor its success rate. "The more effective exploit kits will be provided with updates from the vendor, much like the way AV vendors update their signature set," Leech says. "The kit writers will monitor the success of various exploits, and once they see the success rates dropping, they will add additional new exploits to the portfolio."

Importantly, exploit kits are also being used as just one of the 'stepping stones' in multi-vector attacks. "Whilst using an exploit kit as part of an email campaign is fairly simple to set up, attackers wishing to use their exploit on a website will first have to compromise the website they wish to infect, and then try and hide the exploit kit in the website code," Leech adds. "A couple of years ago, when version 1.0 of Blackhole was at its prime, we saw a number of high profile sites, including those belonging to USPS and MySQL, being hacked and configured to serve up Blackhole pages in an attempt to infect their visitors with various malware."

The consumerisation of cyber crime

Exploit kits are considered to be very much a consumer product on the dark market, the online underground consisting of forums and sites where hackers and cybercriminals buy and sell stolen data and the tools of their trade.

And, as Sharf explains, the popularity of one kit over another depends on the feature set it supports, the update frequency and ultimately the price.

"A recent example includes the numerous Java vulnerabilities that the Websense Security Labs discovered in January 2013 - notably the new Java zero day vulnerability (CVE-2013-0422) that was added to exploit kits and was actively being exploited in the wild," Sharf says.

"The kits identified as using this particular zero day code were Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack. In the same month a new version of the infamous Blackhole Exploit Kit, by far the most popular web-based exploit kit in the underground market to date, was released."

The advertisement for the new version of Blackhole was posted on an underground forum, as is often the case when new exploit kit versions are rolled out by their authors. What's more, it was written in Russian ready for cyber criminals to use off the shelf...

Mitigating the risk

This just leaves us with the somewhat obvious, but big, question: how can your enterprise best mitigate the risks posed by exploit kits and protect against their use? Ross Parsell - who has responsibility for the Government and Commercial sector at Thales, the UK's second largest defence electronics supplier - suggests that in this era of connected devices and un-trusted locations the enterprise will get the best results by looking at the bigger picture. As such, Parsell suggests the following four step risk mitigation and protection plan:

1. Assessment

The first step is to mitigate the risk. This should be a two pronged approach starting with assessing what your vulnerabilities are and then by performing penetration tests. These tests seek to display what could be leveraged by an attacker as a result of missing operating system patches, mis-configured web servers or web applications. In identifying what vulnerabilities lie within a particular infrastructure or web application that could easily be exploited by attackers, companies have already erected a first line of defence.

Once the exploitable vulnerability points of entry are identified, an attempt to gain access to the system or web application will be made in order to obtain evidence of compromise, which may be the result of a single vulnerability or by multiple interconnected vulnerabilities."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at