7 Most Used Exploits In The Wild, According to Bitdefender

HTML5 Browser Exploit Floods Hard Drives with Data

Heartbleed, Shellshock and Poodle gave the world a sudden shock in 2014 – their severity and widespread effect left hundreds of millions of users uncertain of their safety.  But do cyberattacks really strike out of the blue?

The past few years have been marked by the emergence of exploit kits. These tools are usually hosted on compromised servers and served like regular web pages. Once the user lands on one of these pages, their browser is inspected and a specific type of content is served to make it crash. After crashing, a payload is executed without user interaction and the computer silently becomes infected.

From there on, the compromised PC can be joined to a generic botnet where it is being rented per hour to take part in financial fraud, DDoS attacks, malware hosting, spam sending and anonymized access. Or it can be infected with a specific malware (crypto-ransomware or bitcoin miners).

Bitdefender has looked into the most frequently used exploits that have impacted the largest number of PCs in the past six months. And the results show just how versatile and dangerous vulnerabilities really are.

Since most users neglect to update their software, attackers target flaws or weaknesses in old, outdated applications, as well as in operating systems. Exploits predictably arrive disguised as email attachments, compromised websites and other social engineering schemes. Once executed by the user, they allow cybercriminals to completely take over the system, steal data or prevent the software from working at all.

Still, hard facts show that no piece of software is really impenetrable. Recently, at the 2015 Pwn2Own hacking competition, 21 critical bugs were found in all four major browsers, as well as Windows, Adobe Flash and Adobe Reader.

According to our internal telemetry, these are the seven most exploited vulnerabilities of the last six months:

  1. CVE-2013-2551

Use-after-free vulnerability in Microsoft Internet Explorer, versions 6 through 10. This flaw allows remote attackers to execute arbitrary code via a crafted website that triggers access to a deleted object, as demonstrated by competition in 2013. The company’s IE10 hack bypassed all protections built into Windows 8 and IE and allowed code to be executed without crashing the browser.

What this means: when the user visits a compromised web page with a vulnerable version of Internet Explorer, the browser will attempt to render its contents. Because it is malformed, the contents will crash a sub-component of the browser and pass control to the payload (the malware that needs to be installed on the vulnerable PC).

Kits currently included in: Neutrino Exploit Kit, Fiesta Exploit Kit, Hitman Exploit Kit, Styx, Magnitude EK, Nuclear Pack, Sweet Orange EK, FlashPack and Angler.

  1. CVE-2014-6352

First exploited in the wild in October 2014, this vulnerability affects a wide range of software, including Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1. This flaw allows remote attackers to execute arbitrary code via a crafted OLE (Object Linking and Embedding) object. OLE is a proprietary technology developed by Microsoft that allows embedding and linking to documents and other objects.

In order for an attack to succeed, the victim needs to open a specially crafted PowerPoint document that includes a malicious payload. Once opened, the .ppt document runs code that will execute with user privileges. From there on, the attacker can daisy-chain another exploit to escalate its privileges to local administrator.

No consumer-grade exploit pack currently includes this. This threat is mostly spread via email spam.

  1. CVE-2011-3544.R

An unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. Allows remote untrusted Java Web Start applications and untrusted Java applets to compromise a system.

Java Web Start allows users to download and run Java applications from the web and is included in the Java Runtime Environment (JRE) since the release of Java 5.0.

How this works: A compromised website would try to load a malformed Java applet. The code inside can gain elevated privileges and run outside of its sandbox.

Currently included in exploit kits: Bleeding life, CK VIP, CritXpack.

  1. CVE-2014-0515.C

Causes buffer overflow in certain versions of Adobe Flash Player, on Windows, Linux and OS X. Allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in April 2014.

How this works: When the browser lands on a compromised web page, the Adobe Player browser plugin attempts to play the file. However, the ActionScript code inside modifies the natural flow of the program, pointing it to a malicious payload.

Currently included in Angler Exploit Kit, Archie, Astrum Exploit Kit, Blackhole, Flash exploit kit, Hanjuan, Neutrino, Niteris, Nuclear Exploit Kit, Null Hole, Rig and Sweet Orange.

  1. CVE-2014-1776.A

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11, this allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function.

Once the user navigates to a malicious web page, the browser attempts to load a Flash SWF file. Because of the way it is crafted, the SWF file modifies the program’s memory by overwriting particular areas on it.  Instead of rendering the SWF file, Flash Player ends up executing malicious code that compromises the system.

Currently included in Infinity / Redkit / Goon, Sednit and Angler.

  1. CVE-2010-0840.AU

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business. Allows remote attackers to affect confidentiality, integrity and availability via unknown vectors.

Currently included in Nuclear Pack v 2.6, Dragon Pack, Hierarchy Exploit Kit and Blackhole.

  1. CVE-2012-0158.A

Affects Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime. Allows remote attackers to execute arbitrary code via a crafted website, an Office document, or .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, as “MSCOMCTL.OCX RCE Vulnerability.”

How this works: This is a multi-stage attack that starts with the victim opening a malicious RTF file that arrives attached to spam messages. When the document is opened, specially crafted code bypasses the Data Execution Protection subsystem, then decrypts the obfuscated payload and loads it in the memory. Complex code then jumps execution to the memory location the payload resides.

This exploit has been mostly used in the wild to plant ransomware.

Currently not included in any commercially-available exploit kits.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.