Hackers don’t play favorites.
Criminals rob banks because that’s where the money is and, for a long time, hackers deployed exploit kits because that’s what paid off. But exploit kit deployment cratered by 62 percent in 2017 — a trend driven by the rise of cryptojacking, improved browser security and an increase in specific victim targeting, according to a new report from Recorded Future.
An exploit kit is software that automates the process of identifying and exploiting vulnerabilities on targets. They’re relatively easy to use and can be powerful when deployed. The exploit kit business has been around for well over a decade, providing a steady income for illicit developers and serious weapons for cybercriminals.
The 2017 decline follows major shifts in the exploit kit landscape dating back to 2016, when a number of the leaders in that market ceased operations. The trend is credited in large part to the decline in available zero-day vulnerabilities.
Cryptojacking is the act of hijacking computers to mine cryptocurrency. It’s typically done by a shady person or group aiming to get surreptitiously rich. Over the last year, it’s become one of the most common attack vectors. The Coinhive cryptojacker became the most prevalent malware online in January.
“A lot of the threat actors have wisened up,” Scott Donnelly, Recorded Future’s VP of Technical Solutions, told CyberScoop. “It’s a lot of effort to get small time victims to pay up. There are a lot of complaints on the dark web about getting paid, the lag and the customer service hackers have to provide.”
A handful of exploit kits were widely used in 2017 including the Terror, AKBuilder and Disdain kits. The price for Disdain — popularly seen as low quality compared to previous products — ranges from $80 per day, $500 per week, $1,400 per month, or $25,000 for the full source code, according to Recorded Future.
The slow death of Adobe Flash has had an effect. The software provided the lion’s share of popular exploit kit vulnerabilities, but the technology is being effectively phased out and will be finally killed in 2020. Flash zero-days, particularly those leaked by Hacking Team, once drove the exploit kit market. Now fewer victims ever see Flash and browsers like Chrome are better at securing its instances when it is being used.
Interestingly, the site where users most frequently still encountered Flash is Facebook, which is currently under fire for unrelated privacy and advertising issues.