{"uuid": "93b65820-a9fb-49c8-b7e2-6089b3c021bb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2017-0199", "type": "exploited", "source": "https://t.me/information_security_channel/15309", "content": "The Top Vulnerabilities Exploited by Cybercriminals\nhttp://feedproxy.google.com/~r/Securityweek/~3/LZdKf59wwhs/top-vulnerabilities-exploited-cybercriminals\n\nCybercriminals are shifting their focus from Adobe to Microsoft consumer products, and are now concentrating more on targeted attacks than on web-based exploit kits.\nEach year, Recorded Future provides an analysis of criminal chatter on the dark web in its Top Ten Vulnerabilities Report (https://go.recordedfuture.com/hubfs/reports/cta-2018-0327.pdf?utm_source=SecurityWeek). It does this because it perceives a weakness in traditional vulnerability databases and scanning tools -- they do not indicate which vulnerabilities are currently being exploited, nor to what extent. Reliance on vulnerability lists alone cannot say where patching and remediation efforts should be prioritized.\u00a0\n\"We do this analysis because the sale and use of exploits is a for-profit industry,\" Recorded Future's VP of technical solutions, Scott Donnelly told SecurityWeek. This means that exploit developers have to sell their products, while other criminals have to buy them -- and this leads to the chatter that Recorded Future analyzes.\u00a0\n\"If you're a cybercriminal trying to make money, you have to discuss it. If you hold back too much you're not going to make any money; so, there's a necessity for the criminals to stick their heads up a little bit -- and we can take advantage of that and call out some of the big conversations.\" It assumes a correlation between chatter about a vulnerability with active exploitation of that vulnerability -- an assumption that common sense rather than science suggests is reasonable.\nDonnelly is confident that his firm's knowledge of and access to the dark web is statistically valid. Nation-state activity is specifically excluded from this analysis, because, he says, \"If you're a nation-state with an exploit, or if you're a third-party supplier of exploits to a nation state, you're less likely to talk about it in a general criminal forum.\"\nAt the macro level, this year's analysis highlights a move away from Adobe vulnerabilities towards Microsoft consumer product vulnerabilities. While Flash exploits have dominated earlier annual reports, seven of the top ten (including the top five) most discussed vulnerabilities are now Microsoft vulnerabilities. \"As Adobe Flash Player has begun to see its usage significantly drop, this year we find that it's a lot of Microsoft consumer products that are seeing heavy exploitation,\" says Donnelly.\nThe three most used vulnerabilities are CVE-2017-0199 (https://www.securityweek.com/attackers-combine-office-exploits-avoid-detection) (which allows attackers to download and execute a Visual Basic script containing PowerShell commands from a malicious document), CVE-2016-018 (https://www.securityweek.com/ie-exploit-added-neutrino-after-experts-publish-poc)9 (which is an old Internet Explorer vulnerability that allows attackers to use an exploit kit to drop malware, such as ransomware), and CVE-2017-0022 (https://www.securityweek.com/stegano-exploit-kit-adopts-diffie-hellman-algorithm) (which enables data theft).\nA second major takeaway from the analysis is that 2017 has seen a significant drop in the development of new exploit kits. \"This has been noticed before,\" Donnelly told SecurityWeek, \"but mainly because researchers simply haven't seen them in action. This is now evidence that the criminals themselves aren't talking about or trying to sell that many new kits.\"\nIn raw numbers, Recorded Future's analysis noted 26 new kits in 2016, but only 10 new kits in 2017 (from a total list of 158 EKs). \"The observed drop in exploit kit activity,\" suggests Donnelly, \"overlaps with the rapid decline of Flash Player usage. Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.\"", "creation_timestamp": "2018-03-27T17:55:16.000000Z"}