exploit kits Experts warn Neutrino and RIG exploit kit activity spike

[steven36]

Cyber criminals always exploit new opportunities and users’ bad habits, now crooks behind the recent campaigns relying on Neutrino and RIG exploit kits are ramping up attacks against users that haven’s patched their Adobe Flash software.

 

 

“It seems that cyber criminals are well rested and have also gotten back to the “office”, because out team has spotted a substantial increase in exploit kit activity for Neutrino, RIG and Angler.” states a blog post published by the Heimdal Security firm.

 

In August, according to Zscaler security firm, cybercriminals compromised more than 2,600 WordPress websites and deployed malicious iframes on 4,200 distinct pages. The criminals exploited vulnerable versions of WordPress 4.2, and prior, to plant the iframes which were used to redirect users to domains hosting the Neutrino exploit kit.

 

The Neutrino landing page was designed to exploit Flash Player vulnerabilities in order to serve the last variant of the popular ransomware CryptoWall 3.0. Also in this case, the variant of the Neutrino exploit kit leveraged in the attack includes the Flash Player exploits leaked in the Hacking Team breach.

 

The attackers are exploiting the remote code execution flaw in Adobe Flash to serve ransomware.

 

According to the researchers at Trustwave, in the same period, the researchers at Trustwave revealed that the developer behind the RIG exploit kit released a 3.0 version of the RIG exploit kit which includes some significant improvements to avoid the analysis of the source code.

 

Now Neutrino is used by crooks in the wild to spread the Cryptolocker 2 ransomware and variants of the Kovter malware family exploiting the Flash (CVE-2015-7645) that remained unpatched after Adobe released a critical patch in October.

 

“This new campaign also comes with added surreptitious tricks: Google Blackhat SEO poisoning and an immediate focus on using Flash Player vulnerabilities as a distribution vector.”  continues the Heimdal Security firm.

 

The researchers discovered that the new variant of the Neutrino exploit kit has the ability to determine if user’s browser and Flash player installation are vulnerable, it is also able to evade security software detection.

 

 

The campaign relying RIG exploit kit spread through drive-by attacks by using Google Blackhat SEO poisoning. The RIG 3.0 is continuously improved by including the code for the exploitation of known vulnerabilities in popular third-party applications like Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight to infect outdated Windows machines.

 

This RIG-serving campaign spread through drive-by attacks by using Google Blackhat SEO poisoning.

 

“From our data, derived from having access to RIG exploit kit version 3 panels, we have observed that this payload achieves an infection success rate of 56% on Windows 7 PCs with Internet Explorer 9. The security issues lie particularly with Adobe Flash Player and, respectively, with vulnerabilities to RIG exploit kit version 3 panels, we have observed that this payload achieves an infection success rate of 56% on Windows 7 PCs with Internet Explorer 9. The security issues lie particularly with Adobe Flash Player and, respectively, with vulnerabilities CVE-2015-5119(CVSS Score: 10) and CVE-2015-5122 (CVSS Score: 10), which are wreaking havoc among Windows-based PCs.” continues Heimdal Security.

 

When it comes to this kind of criminal campaigns, most popular exploit kits focus their capabilities to compromise outdated Adobe Flash Player installations to compromise the user’s machine.

Experts at Heimdal Security recommend to immediately update Flash Player installations and always keep all software up to date.

 

Quote

“According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85% of all targeted attacks can be prevented by applying a security patch.”

 

Source

[Holmes]

The angler exploit kit is spiking to seems every time I turn I see a spike in one particular exploit kit.  Neutrino is not new and RIG I dont remember doesnt surprise me at all (there are to many exploit kits to keep track of).  I read the source and it mentioned angler and these two there heading is wrong hahahaha.  I predicted angler before I read it in the article APTs have used angler a news article mentioned a apt malware using angler last week might have been this week I cant remember.  The last variant is cryptowall three point zero I saw somewhere read somewhere about cryptowall four point zero.  It says the neutrino exploit kit landing page was using to exploit flash player vulnerabilities I was not trying to be safe clicking on different sh*t and got a popup saying my flash player was out of date print screened it and right-clicked on the download button got the link location and sent it to virustotal where it was not detected I went to a different site and it detected it as infected with Trojan.Installcore.twofivefive sent the url and the virus name to eset just in case.  I have seen these fake flash player out of date pages before and i used common sense and I didnt get infected.  Im predicting that one of those exploits kits was responsible for that Trojan.Installcore.twofivefive infection.  Now we are seeing cryptolocker two point zero and kovter malware family thats perfect.

 

I got that message because My flash player was out of date by one version number (I restarted my computer and got a adobe flash popup and installed adobe flash to the latest version).  Keep those flash versions updated and javva and all your software and your good to go.

[dMog]

again   best lie of defense in to engage your brain  and your common sense .....not just "yes" to make popups go away... 

[Holmes]

You mean no to make popups go away.  WHen I exited out of the popup I got I didnt have a choice between yes and no I just clicked on the x button at the top lawls.