Nebula Exploit Kit

Marina Kidron Mar 14, 2019

After the fall of Angler, Nuclear and Neutrino exploit kits in 2016, dark web sites were hailing the new king, RIG EK, and its newborn variants: RIG-V and RIG-E (aka Empire). But after four months of activity, one of the king’s newborns, the promised Empire, has fallen and a new leading exploit kit has emerged.

The Nebula exploit kit came onto the scene on February 17 of this year, with evidence suggesting it’s likely a variant of Sundown. It’s been demonstrated to be distributing Pitou, Gootkit, Ramnit and DiamondFox malware as a payload.

While the exploit kit is “new” in terms of having new indicators of compromise (IOCs), it exploits some old and well-known vulnerabilities – all of which involve remote code execution, carry a critical score and have a fix available:

Angler, Sundown, RIG, Neutrino and Terror exploit kits also utilized these same vulnerabilities.

So is there a new exploit kit out there? Yes, but that’s not the important question. The kits change their name, IOCs and landing pages, but in many ways, it’s really just dressing up the exploitation of the same old vulnerabilities.

While exploit kits allow crimeware with a distributed business model to wreak havoc on individuals and businesses alike, this behavior of re-using old tricks should be seen as a gift to vulnerability management. While the IOCs and behavior of the EKs are constantly modified by their authors in order to avoid detection, the amounts of exploits used by these EKs remain relatively stable. In many cases it is safer and more efficient to handle the appropriate vulnerabilities in advance instead of just to sit and wait for the exploit kits to attack.

Vulnerabilities that are known to be exploited in the wild and specifically, those who are bundled in exploit kits should be prioritized for immediate mitigation. As seen from the list above, patches are often available due to the age and publicity of these vulnerabilities; if patching isn’t an option, compensating controls like IPS signatures or firewall rules can limit the vulnerabilities’ exposure.

By mitigating these vulnerabilities, you take a fundamental step in neutralizing attacker tools not just in the Nebula exploit kit, but in the others that rely on these exploits.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More