Nebula Exploit Kit

Marina Kidron Mar 14, 2019

After the fall of Angler, Nuclear and Neutrino exploit kits in 2016, dark web sites were hailing the new king, RIG EK, and its newborn variants: RIG-V and RIG-E (aka Empire). But after four months of activity, one of the king’s newborns, the promised Empire, has fallen and a new leading exploit kit has emerged.

The Nebula exploit kit came onto the scene on February 17 of this year, with evidence suggesting it’s likely a variant of Sundown. It’s been demonstrated to be distributing Pitou, Gootkit, Ramnit and DiamondFox malware as a payload.

While the exploit kit is “new” in terms of having new indicators of compromise (IOCs), it exploits some old and well-known vulnerabilities – all of which involve remote code execution, carry a critical score and have a fix available:

Angler, Sundown, RIG, Neutrino and Terror exploit kits also utilized these same vulnerabilities.

So is there a new exploit kit out there? Yes, but that’s not the important question. The kits change their name, IOCs and landing pages, but in many ways, it’s really just dressing up the exploitation of the same old vulnerabilities.

While exploit kits allow crimeware with a distributed business model to wreak havoc on individuals and businesses alike, this behavior of re-using old tricks should be seen as a gift to vulnerability management. While the IOCs and behavior of the EKs are constantly modified by their authors in order to avoid detection, the amounts of exploits used by these EKs remain relatively stable. In many cases it is safer and more efficient to handle the appropriate vulnerabilities in advance instead of just to sit and wait for the exploit kits to attack.

Vulnerabilities that are known to be exploited in the wild and specifically, those who are bundled in exploit kits should be prioritized for immediate mitigation. As seen from the list above, patches are often available due to the age and publicity of these vulnerabilities; if patching isn’t an option, compensating controls like IPS signatures or firewall rules can limit the vulnerabilities’ exposure.

By mitigating these vulnerabilities, you take a fundamental step in neutralizing attacker tools not just in the Nebula exploit kit, but in the others that rely on these exploits.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Why Attacks on Critical Infrastructure are Increasing and How to Protect Against Them
Read More
Why We’re Going to See More Than 20,000 New Vulnerabilities in 2020
Read More
2020 Vulnerability and Threat Trends Report Mid-Year Update: Key Findings
Read More
Why Cybersecurity Investments Fail: The Pitfalls of ROI-Focused Strategies
Read More
Valak has a New Form: Why Businesses Should Fear Evolving Malware
Read More
Salt Vulnerabilities Exploited with Targeted Cryptomining Attack on DigiCert
Read More