Cisco Reports Fall in Exploit Kit Activity but Increase in Malware Delivery Via Email

Exploit kit activity has fallen, but there has been a notable rise in the use of email as a vector for delivering malware, according to Cisco’s mid-year cybersecurity report.  The report also notes that IoT botnet activity has risen, as have Destruction of Services (DeoS) and Ransom Denial of Service (RDoS) attacks.

Exploit kits were a major attack vector are have been extensively used to deliver malware. Exploit kits are installed on websites and probe for vulnerabilities in browsers and plugins. They contain multiple exploits that enable attackers to silently deliver malware to vulnerable devices.

In 2016, three major exploit kits – Angler, Neutrino, and Nuclear – virtually disappeared. EK activity is now at a tiny fraction of the level of 2016. The reason for the decline is believed to be the arrest of the author of the Angler EK, although improvements to browser security, faster patching of vulnerabilities, and the decline of Flash have all made exploit kits less attractive as a method of malware delivery.

Cisco notes that research by Qualys showed that in November2016, the average time to patch Flash vulnerabilities was 39 months, whereas by January 2017, Flash vulnerabilities were being patched in two months, giving attackers far less time to develop and deploy exploits. While EK activity has fallen, EKs are not dead and buried and could become popular once again if new vulnerabilities are discovered and patching is lax.

Cybercriminals have now turned to email as the primary method of malware delivery. Email spam volume is up as are the number of email-based malware attacks. According to the report, 65% of total email volume is spam and 8% of all spam emails are malicious. The most common file attachments used for malware delivery are .zip files, which account for 47% of malicious attachments, 18% of malicious attachments are .doc files, 14% are .jar files, and 6% are .gz files.

Ransomware attacks have increased considerably in 2017, although the biggest email-based threat is BEC attacks. These email spoofing attacks attempt to get employees to part with sensitive data such as employees’ W-2 Forms or make fraudulent wire transfers. This is achieved by impersonating the CEO or CFO or spoofing their email address.

Cisco says there has been a notable increase in DeoS attacks. DeoS attacks are not concerned with obtaining money, instead the aim is to destroy infrastructure and data, as the NotPetya attacks clearly demonstrated.

IoT botnets are being constructed for large scale DDoS attacks and are now capable of delivering attacks of the order of 1 terabit-per-second thanks to IoT botnets of hundreds of thousands of infected devices. This has been made possible due to the lack of proper automatic update mechanisms on most IoT devices.

Some cybercriminal groups are using the threat of DDoS attacks to obtain ransom payments in a mafia-style protection racket, often with a display of the capability of the attacker to show potential victims it is not an empty threat. Pay a ransom and the company will not be attacked. Fail to pay and a devastating DDoS attack will be launched.

To counter the threat of cyberattacks, Cisco offers the following advice:

  • Keep all software up to data and apply patched promptly to ensure publicly known flaws cannot be exploited
  • Monitor network traffic closely and how IoT devices touch the network
  • Ensure IoT devices are protected with IPS defenses
  • Engage the board and ensure the risks are fully understood and communicate the potential rewards from greater investment in security
  • Ensure employees receive security awareness training appropriate to their role
  • Implement layered security defenses and defend in depth

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of