analysis of the top 10 vulnerabilities of exploit kits in 2016

Posted by santillano at 2020-03-29

This article will briefly introduce the top 10 vulnerability list in the 2016 exploit kits.

previously on

From November 16, 2015 to November 15, 2016, Adobe Flash player occupied 6 seats in the 2016 vulnerability toolkit top 10 vulnerability. After Adobe official paid more attention to security issues, hackers still pay more attention to Adobe Flash player.

Microsoft's ie, windows and Silverlight are also in the top 10 this year, and some of last year's vulnerabilities unfortunately fell out this year.

Cve-2016-0189, an IE vulnerability released in 2016, is very popular with hackers, especially sundown vulnerability toolkit, whose exp was included in the company in July 2016.

Sundown, rig and neutrino filled the blank market when the angler toolkit was destroyed in June 2016. The price of these vulnerability kits ranged from $200 / week (rig) to $1500 / week (neutrino).

Cve-2015-7645 of Adobe Flash player has been included in seven vulnerability toolkits. It is the most pervasive vulnerability we have analyzed, probably because it is the first 0day generated after Adobe security innovation.

The vulnerability assessment team can do some other work by identifying vulnerabilities that are frequently used.

According to the analysis of recorded future (that is, the author's website), Adobe Flash player and Microsoft's family barrel have been exporting mainstream vulnerabilities for hackers this year, and international network games have also occupied a lot of information security headlines in 2016. As for criminals, they have been using continuously updated vulnerability kits to distribute ransomware and bank Trojans.

For the vulnerability set listed last year, recorded future updated its analysis of 141 vulnerability kits and known vulnerabilities.


The vulnerability toolkit provides CAAS (Criminal software as a service), and its creation team can earn money by improving the installation. Since this kind of vulnerability toolkit appeared in 2006, network criminals need less and less programming experience. They only need to provide corresponding payload (such as crypmic ransomware or trickbot bank Trojan horse). These payloads will be spread through the vulnerability toolkit through the hacked website or third-party malicious advertising. The support team of vulnerability toolkit will continue to add new vulnerability exp to it, improve the efficiency of users' distribution of payload, and finally bring more revenue to their own team.

The victim of the vulnerability toolkit may be visiting the hacked webpage, malicious advertisement, or being induced into the landing page of the vulnerability toolkit. Those pages that use HTML and JavaScript will identify the browsers and plug-ins of the victims, so as to prepare for the subsequent attacks of the vulnerability toolkit.

In some cases, these vulnerability kits can be rented weekly or monthly. Say $800 a week or $2000 a month. Cheap rig vulnerability kits can cost as little as $50 a day, $200 a week or $700 a month or less. As for the available vulnerability kits, neutrino is probably the most expensive, about $1500 a week or $4000 a month.

Understanding which vulnerabilities will be exploited by the vulnerability toolkit will allow better internal risk assessment.


Recorded future analyzes a large number of reference sources, including information security blogs, deep web forum posts, and dark web onion sites. The focus of this analysis is the vulnerability toolkit and vulnerability from November 6, 2015 to November 15, 2016, which is about a year since we issued our report in 2015.

As part of the study, recorded future took advantage of a list of 141 vulnerability kits (108 last year) and ranked the most commonly used vulnerabilities.

Recorded future does not reverse the malware mentioned above, but combines the data on the Internet for analysis, and then gives you a detailed description.

Vulnerabilities used in vulnerability Toolkit

Based on the feedback of vulnerability ranking in 2015, recorded future will further evaluate the vulnerabilities used in vulnerability toolkit in the future.

Cve-2015-7645 of Adobe Flash player is one of the most cited vulnerabilities. Last year, vulnerability kits such as neutrino, angle, magic, rig, nuclear pack, Spartan and Hunter all adopted Adobe's vulnerability exp.

Because cve-2015-7645 affects several systems and controls the system at the same time, it becomes a general vulnerability. In addition, it is the first 0day since Adobe introduced new security measures. Many old machines can't be taken down by old vulnerabilities. With a new version of flash, you can take it down. In addition, the vulnerability is also used by pawn storm (apt28, fortune bear), a Russian government spy organization.

Although Adobe quickly fixed the vulnerability, it still maintained a certain degree of activity due to its easy use and wide range of influence.

Unfortunately, due to the slow repair of the enterprise and the lack of awareness of the vulnerability of the home users, they have helped the continuous spread of the vulnerability.

Sundown vulnerability Toolkit

Sundown vulnerability toolkit is a rising star in the criminal world. After the collapse of some market leaders last year, sundown was widely adopted by criminals. Due to the fast update of vulnerability exp in sundown, it has formed a differentiation advantage for vulnerability toolkits such as rig.

Last year, recorded future wrote an analysis of the angler vulnerability toolkit. However, since last year's arrest of participants in malicious activities in Russia, the use of it has almost disappeared.

Researchers have exposed a large number of nuclear infrastructure, and after its withdrawal from the open market, rig and sundown have filled in the corresponding gaps. While rig is still the biggest player in the market, sundown's popularity is growing.

According to our analysis, sundown's first concern was in April 2015, when it was pointed out that it copied other tools and adopted their vulnerabilities and exploitation methods. It is known for its first integration of IE vulnerabilities (cve-2015-2444) in 2015, targeting Bank of Japan customers. Another interesting point of this malware is that it is dedicated to spreading Trojans of banks, and unlike other vulnerability kits, many rights raising tools are released from ransomware. At the same time, sundown has more black sites to spread than its competitors.


Last year's vulnerability toolkit heavily adopted Adobe's vulnerabilities, especially flash products. What's more embarrassing is that adobe security hasn't improved significantly this year. If you can, I suggest you uninstall flash.

Of course, if you need to, you can consider using Google Chrome team with the latest Flash browser. And Google Chrome uses HTML5 rendering by default, not flash.

At the same time, most browsers now block flash elements by default, unless the user actively clicks to allow.


Fix all of the vulnerabilities mentioned in this article. If it does not affect the business, please delete the software affected by the vulnerability.

Activate Adobe Flash player's click to enable features. Consider using chrome because Google Project Zero is very concerned about flash player vulnerabilities. Using browser to block ad plug-ins and hacker's vulnerability attack. Remember to back up your system often, especially those targets that are easily targeted by ransomware.

*Reference source: RF, FB Editor Editor Editor Editor, reprint from