Black Hole, Phoenix Attack Kits Target Older Flaws


Automated attack toolkits, designed to help cybercriminals carry out widespread attacks, are most successful at targeting outdated, frequently known vulnerabilities. And, according to a recent analysis, many companies are failing to deploy patches to repair them.

That was the finding of the latest quarterly threat report issued by Solutionary, an Omaha, Neb.-based managed security services provider, which provided analysis of the threats its team was seeing in the fourth quarter of 2012. The company said 58 percent of the vulnerabilities targeted by well-known exploit kits are more than two years old.

Solutionary conducted a review of 26 common exploit kits and found the presence of exploit code dating as far back as 2004. Many of the exploits target vulnerabilities in software that was patched in 2010 and 2011, the company said.

[Related: Attackers Targeting New Java Zero-Day Flaw]

"This corroborates the fact that the number of newly discovered and disclosed vulnerabilities each year has dropped over the last two years since the surge of vulnerability disclosures in 2010," Solutionary noted in its report.

Zero-day vulnerabilities, coding errors that are not yet patched by a software maker, are frequently highlighted as a major problem. Oracle rushed out an emergency update last week to repair a Java vulnerability incorporated into the Black Hole exploit kit. But organizations are failing to deploy patches to repair known flaws, Solutionary said, including coding errors in browser components such as Adobe Flash Player and Java.

Black Hole was the most widely used exploit toolkit followed by Phoenix and Eleonore, according to the analysis. Authentication attacks made up 42 percent of endpoint security issues seen by the security company, followed by denial of service (32 percent) and Web application security (17 percent).

Nearly 70 percent of the exploit kits reviewed by Solutionary were released or developed in Russia, according to Solutionary. Black Hole, which was created in Russia, is known for infecting systems through Web-based attacks. The kit is often rented out to cybercriminals who then infect legitimate websites with malicious code, setting up drive-by attacks for unsuspecting victims. Soutionary said 30 percent of the samples it analyzed were traced back to JavaScript malware variants all used with the Black Hole exploit kit.

"BlackHole 2.0, despite being the most often used exploit kit based on volume, targets fewer vulnerabilities than other exploit kits," Solutionary said. "The most versatile of these, Phoenix, supports roughly 16 percent of all vulnerabilities being exploited."

Meanwhile, Phoenix dates back to 2007 and, according to analysis of the attack toolkit conducted by Websense, the kit serves up one of a number of pages designed to exploit a visiting computer. Both kits exploit a number of already patched Java vulnerabilities, Internet Explorer flaws and Adobe Reader and Acrobat coding errors.

PUBLISHED JAN. 23, 2013