Exploit Kits, Once a Favorite of Cybercriminals, Move To Private Marketplaces

Hacking tools often follow a trend: They’re developed by an individual or group, others adopt it if it works well, and—once organizations become aware of it and start defending themselves—their use declines until they eventually disappear.

On the surface, cybersecurity professionals might think that exploit kits are at the tail end of this trend. Exploit kits, which are essentially programs that automate the process of finding and exploiting vulnerabilities, have been around for more than a decade and likely reached their peak in the early 2010s, according to Roman Saanikov, director of cybercrime and underground intelligence at Recorded Future. They were widely adopted by cybercriminals because they’re relatively easy to use and can be powerful weapons for breaking into a victim’s systems or applications.

Over the last five or so years, however, the use of exploit kits has dropped significantly, according to a report released today by Recorded Future. In 2018, the number of new exploit kits sank by about 50%, and since then cybersecurity researchers have tracked only a handful of public exploit kits, Saanikov said. “Nobody is really talking about exploit kits anymore,” he added.

The move away from exploit kits can even be seen in real-time: Last month, security researchers observed that a malware campaign dubbed Malsmoke recently changed tactics, switching from exploit kits to social engineering to target visitors of a porn website.

Part of the reason why exploit kits have declined is that organizations have gotten better at patching—exploit kits are only successful if companies leave their vulnerabilities wide open to be exploited. Many businesses have also launched bug bounty programs in recent years, which pay security researchers to find the vulnerabilities that are often targeted by exploit kits.

But while it seems like exploit kits are a thing of the past, the Recorded Future report found that cybercriminals still use them—they’ve just moved from openly selling them on the dark web to trafficking them in private channels.

“If you’re selling exploit kits openly on the dark web, they’re more likely to be identified by researchers and patched,” Saanikov said. “But if they’re privately held, it’s more likely they’ll be able to be held longer and you and your clients will be able to exploit it longer.”

Saanikov said that his team has been approached by cybercriminals interested in privately offering their exploit kits. Typically, hackers find these sellers through a trusted community or word of mouth, and pay a flat fee or a commission based on what they end up distributing via the exploit kit, such as ransomware.

As long as an exploit kit can target vulnerabilities that companies aren’t aware of, criminals and even nation-state hackers will use them, Saanikov said. The recent breach reported by FireEye, in which an attacker suspected of being associated with the Russian government stole the cybersecurity giant’s arsenal of hacking tools, could essentially be seen as an exploit kit, he said. The same thing goes for the 2017 heist of NSA tools by the mysterious group known as the Shadow Brokers.

“I’m not saying exploit kits are what they used to be eight or ten years ago, but it’s something people still need to be aware of, and is being used as  a Swiss Army knife,” Saanikov said.