With cryptojacking rising, exploit kits rapidly decline

Hackers don’t play favorites.

Criminals rob banks because that’s where the money is and, for a long time, hackers deployed exploit kits because that’s what worked. But exploit kit development cratered by 62 percent in 2017 driven by the rise of cryptojacking, improved browser security and specific victim targeting, according to a new report from Recorded Future.

An exploit kit is software that automates the process of identifying and exploiting vulnerabilities on targets. They’re relatively easy to use and can be powerful when deployed. The exploit kit business has been around for well over a decade, providing a steady income for illicit developers and serious weapons for cybercriminals.

The 2017 decline follows major shifts in the exploit kit landscape dating back to 2016, when a number of the leaders in the exploit kit market ceased operations. That trend is credited in large part to the decline in available zero day vulnerabilities.

Cryptojacking is the act of hijacking computers to mine cryptocurrency in order for some shady person or group aiming to get surreptitiously rich. Over the last year, it’s become one of the most common attack vectors. The Coinhive cryptojacker became the most prevalent malware online in January.

“A lot of the threat actors have wisened up,” Scott Donnelly, Recorded Future’s VP of Technical Solutions, told CyberScoop. “It’s a lot of effort to get small time victims to pay up. There are a lot of complaints on the dark web about getting paid, the lag and the customer service hackers have to provide.”

A handful of exploit kits did see major activity in 2017 including the Terror, AKBuilder and Disdain exploit kits. The price for Disdain, popularly seen as low quality compared to previous products. Prices range from $80 per day, $500 per week, $1,400 per month, or $25,000 for the full source code, according to Recorded Future.

One of the biggest reasons for the decline of exploits is the death of Flash. Adobe Flash vulnerabilities made up the lion’s share of popular exploit kit vulnerabilities, but the technology is being effectively phased out and will be finally killed in 2020. Flash zero-days, particularly those leaked by Hacking Team, once drove the exploit kit market. Now fewer victims ever see Flash and browsers like Chrome are better at securing its instances when it is being used.

Interestingly, the site where users most frequently still encountered Flash is Facebook, an internet giant currently under fire for unrelated privacy and advertising issues.