Nebula Exploit Kit

Marina Kidron Mar 14, 2019

After the fall of Angler, Nuclear and Neutrino exploit kits in 2016, dark web sites were hailing the new king, RIG EK, and its newborn variants: RIG-V and RIG-E (aka Empire). But after four months of activity, one of the king’s newborns, the promised Empire, has fallen and a new leading exploit kit has emerged.

The Nebula exploit kit came onto the scene on February 17 of this year, with evidence suggesting it’s likely a variant of Sundown. It’s been demonstrated to be distributing Pitou, Gootkit, Ramnit and DiamondFox malware as a payload.

While the exploit kit is “new” in terms of having new indicators of compromise (IOCs), it exploits some old and well-known vulnerabilities – all of which involve remote code execution, carry a critical score and have a fix available:

Angler, Sundown, RIG, Neutrino and Terror exploit kits also utilized these same vulnerabilities.

So is there a new exploit kit out there? Yes, but that’s not the important question. The kits change their name, IOCs and landing pages, but in many ways, it’s really just dressing up the exploitation of the same old vulnerabilities.

While exploit kits allow crimeware with a distributed business model to wreak havoc on individuals and businesses alike, this behavior of re-using old tricks should be seen as a gift to vulnerability management. While the IOCs and behavior of the EKs are constantly modified by their authors in order to avoid detection, the amounts of exploits used by these EKs remain relatively stable. In many cases it is safer and more efficient to handle the appropriate vulnerabilities in advance instead of just to sit and wait for the exploit kits to attack.

Vulnerabilities that are known to be exploited in the wild and specifically, those who are bundled in exploit kits should be prioritized for immediate mitigation. As seen from the list above, patches are often available due to the age and publicity of these vulnerabilities; if patching isn’t an option, compensating controls like IPS signatures or firewall rules can limit the vulnerabilities’ exposure.

By mitigating these vulnerabilities, you take a fundamental step in neutralizing attacker tools not just in the Nebula exploit kit, but in the others that rely on these exploits.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Cyberattacks in the COVID-19 era
Read More
3 Critical Flaws with Today’s Vulnerability Management Programs
Read More
The business of cybercrime: malware-as-a-service gains pace
Read More
Skybox Q&A: New VP Frederic Saint-Joigny highlights cybersecurity challenges in EMEA
Read More
Skybox Q&A: New VP of Channel Lance Buchholz on emerging opportunities for cybersecurity partners
Read More
How to mature your cybersecurity program
Read More