After the fall of Angler, Nuclear and Neutrino exploit kits in 2016, dark web sites were hailing the new king, RIG EK, and its newborn variants: RIG-V and RIG-E (aka Empire). But after four months of activity, one of the king’s newborns, the promised Empire, has fallen and a new leading exploit kit has emerged.
The Nebula exploit kit came onto the scene on February 17 of this year, with evidence suggesting it’s likely a variant of Sundown. It’s been demonstrated to be distributing Pitou, Gootkit, Ramnit and DiamondFox malware as a payload.
While the exploit kit is “new” in terms of having new indicators of compromise (IOCs), it exploits some old and well-known vulnerabilities – all of which involve remote code execution, carry a critical score and have a fix available:
- CVE-2014-6332 – Windows
- CVE-2015-0016 – Windows
- CVE-2013-2551 – Internet Explorer
- CVE-2016-0189 – Internet Explorer
- CVE-2015-8651 – Flash Player
- CVE-2015-7645 – Flash Player
- CVE-2016-4117 – Flash Player
Angler, Sundown, RIG, Neutrino and Terror exploit kits also utilized these same vulnerabilities.
So is there a new exploit kit out there? Yes, but that’s not the important question. The kits change their name, IOCs and landing pages, but in many ways, it’s really just dressing up the exploitation of the same old vulnerabilities.
While exploit kits allow crimeware with a distributed business model to wreak havoc on individuals and businesses alike, this behavior of re-using old tricks should be seen as a gift to vulnerability management. While the IOCs and behavior of the EKs are constantly modified by their authors in order to avoid detection, the amounts of exploits used by these EKs remain relatively stable. In many cases it is safer and more efficient to handle the appropriate vulnerabilities in advance instead of just to sit and wait for the exploit kits to attack.
Vulnerabilities that are known to be exploited in the wild and specifically, those who are bundled in exploit kits should be prioritized for immediate mitigation. As seen from the list above, patches are often available due to the age and publicity of these vulnerabilities; if patching isn’t an option, compensating controls like IPS signatures or firewall rules can limit the vulnerabilities’ exposure.
By mitigating these vulnerabilities, you take a fundamental step in neutralizing attacker tools not just in the Nebula exploit kit, but in the others that rely on these exploits.