Most Exploited Vulnerabilities: by Whom, When, and How

Pierluigi Paganini
December 30, 2016 by
Pierluigi Paganini

Top Ten Vulnerabilities included in Exploit Kits

Which are the most exploited vulnerabilities by hackers in 2016? Who used them and how?

Let's start from a study conducted by the threat intelligence firm Recorded Future that analyzed most common vulnerabilities used in the exploit kits and let's cross this information with the archive of Security Affairs for discovering threat actors that used them in 2016

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

The researchers discovered that the Adobe Flash Player and Microsoft products (Internet Explorer, Silverlight, and Windows) continue to be privileged targets of threat actors.

The experts observed a huge number of hacking campaigns conducted by both nation-state actors and criminal organizations leveraging on such flaws. Hackers used the exploit kits to deliver several families of malware, including ransomware, banking Trojan, and implants.

Threat actors in the wild used new exploit kits targeting new vulnerabilities in popular software.

The Adobe Flash Player comprised six of the top 10 vulnerabilities triggered by the exploit kits in a period from November 16, 2015, to November 15, 2016.

Figure 1 - Top vulnerabilities exploited by threat actors (Source Recorded Future)

Experts from Recorded Future analyzed 141 exploit kits discovering that the Internet Explorer vulnerability tracked as CVE-2016-0189 was the most referenced on security blogs, deep web forum postings, and dark websites.

Multiple hacker crews in the wild exploited the flaw, last attacks in order of time leveraging on it were conducted by threat actors behind the CNACOM campaign.

The vulnerability was exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

Security researchers from the startup Theori made a reverse engineering of the MS16-053 that fixed the CVE-2016-0189 flaw and published a PoC exploit working on Internet Explorer 11 running on Windows 10.

The PoC exploit code was used by threat actors in the wild great that included the malicious code in the most popular exploit kits, including Neutrino EK, Magnitude EK, Angler EKRIG EKNuclear EK, Spartan, and Hunter.

Vulnerability Product Last observed attacks

CVE-2016-0189 Microsoft IE CNACOM campaign

CVE-2016-1019 Adobe Flash Player Cybercrime – Malware distribution

CVE-2016-4117 Adobe Flash Player Cybercrime – Phishing campaigns

CVE-2015-8651 Adobe Flash Player Cybercrime – DarkHotel APT

CVE-2016-0034 Silverlight Cybercrime – Angler EK

CVE-2016-1010 Adobe Flash Player Cybercrime – Targeted attacks

CVE-2014-4113 Microsoft Windows Cybercrime – APT3 -FURTIM

CVE-2015-8446 Adobe Flash Player Cybercrime – Angler EK for ransomware distribution

CVE-2016-3298 Internet Explorer Cybercrime

CVE-2015-7645 Adobe Flash Player Cybercrime

The second flaw in the list of the top CVE-2016-1019 is an Adobe Flash Player flaw that can be exploited to cause a denial of service or to execute arbitrary code via unspecified vectors.

The flaw was mostly exploited by criminal organizations in the wild, in the vast majority of cases, crooks included it in popular exploit kits (i.e. Neutrino EK, Magnitude EK) to spread malware such as the Cerber ransomware.

The third flaw, tracked as CVE-2016-4117, affects Adobe Flash Player affects older versions of the Adobe Flash. After the disclosure of the flaw, Adobe confirmed that the vulnerability was being exploited in cyber attacks in the wild. The CVE-2016-4117 was rated as critical and affects Windows, Mac OS X, Linux and Chrome OS.

"A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system." reads the advisory published by Adobe.

"Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.  Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog."

Only after Adobe fixed the flaw, the security researcher Genwei Jiang revealed the details of the previously undisclosed phishing attacks he reported to Adobe.

The fourth vulnerability, tracked as CVE-2015-8651, was exploited by criminal organizations in the wild. The code to exploit the vulnerability in the Adobe Flash Player was included in the major Exploit Kits.

According to threat intelligence start-up ThreatBook, the flaw was also exploited by hackers belonging to the DarkHotel APT group in targeted executives at telecommunications companies in China and North Korea.

The Darkhotel espionage campaign was first uncovered by security experts at Kaspersky Lab in November 2014. The attackers appeared as highly skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gangs never go after the same target twice. The list of targets includes  CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

Experts at ThreatBook discovered a new DarkHotel campaign in March; they dubbed it Operation 8651, the hackers leveraged on spear phishing messages with malicious documents attached, typically, a crafted SWF file embedded as a downloadable link in a Word document.

The fifth flaw is a Silverlight issue, tracked as CVE-2016-0034 that was exploited by threat actors behind the notorious Angler EK.

The flaw was fixed by Microsoft in January with the MS16-006 critical bulletin; an attacker can exploit it for remote code execution. The Silverlight flaw was first discovered by the experts in Kaspersky Lab as a result of an investigation on the Hacking Team arsenal disclosed in July 2015.

According to Microsoft, the remote code execution vulnerability can be exploited by an attacker that set up a website to host a specially crafted Silverlight application.

When Microsoft users visit the bogus website, the exploit allows an attacker to obtain the same permissions as the victim.

Continuing the analysis of the Top flaws, we find another Adobe Flash Player vulnerability, tracked as CVE-2016-1010 that could be potentially exploited by attackers to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks.

The oldest flaw in the top 10 vulnerabilities is a Windows privilege escalation vulnerability, tracked as CVE-2014-4113, that was used by both cyber criminal organizations and nation-state actors.

FireEye reported the flaw was exploited by the APT3 group in cyber espionage campaigns conducted to gather information about government and political activities in Southeast

Researchers at the SentinelOne Labs team discovered the flaw was also exploited by hackers behind a sophisticated malware dubbed Furtim specifically targeting at least one European energy company.

Another flaw in the list is a heap buffer overflow flaw in affecting Adobe Flash Player and tracked as CVE-2015-8446. The flaw was used mostly by cyber criminals to spread malware. Researchers found the malicious code for the exploitation of the flaw in the Angler EK.

According to researchers at Malwarebytes, the CVE-2015-8446 exploit included in the Angler Exploit Kit had been used by cyber criminals to serve the infamous TeslaCrypt ransomware.

The CVE-2016-3298 and the CVE-2015-7645 close the Top 10 vulnerabilities. The first one is a browser information disclosure vulnerability in the Internet Explorer that could be exploited by hackers to "test for the presence of files on disk."

"An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful an attacker must persuade a user to open a malicious website." reported Microsoft.

The researchers observed the code for the exploitation of the flaw was included in the Neutrino EK.

Microsoft confirmed that the flaw was exploited by attackers in the wild.

CVE-2015-7645 is a critical Flash flaw that was exploited by cyber criminals to distribute malware. The exploit code for the vulnerability was included in the Neutrino EK to spread the Cryptolocker 2 ransomware and variants of the Kovter malware family.

According to Recorded Future after the Angler and Nuclear EKs disappeared from the threat landscape RIG became the most used EK, while the popularity of the Sundown EK rapidly increased.

Below the Key Takeaways published by Recorded Future in its report.

  • Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player's popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
  • Vulnerabilities in Microsoft's Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year's report carried over to this year's top 10.
  • A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
  • Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Exploit Kit's June 2016 demise. This crimeware can be used for anywhere from $200 a week (RIG) to $1,500 a week (Neutrino).
  • Adobe Flash Player's CVE-2015-7645 has been incorporated into seven exploit kits, the highest penetration level of our analyzed vulnerabilities likely because it was the first zero-day discovered after significant Adobe security changes.
  • Identifying frequently exploited vulnerabilities can drive action by vulnerability assessment teams.


The analysis conducted by Recorded Future is very precious for security experts and the IT staff of any organization.

Exploit kits represent the privileged vector for hacking campaigns, and they are used by both cyber criminals and nation-state hackers.

The vast majority of the vulnerabilities affects Adobe Flash Players; it is normal to find the code to exploit them in almost any crimeware kit available in the cybercriminal underground.

In many cases, hackers exploit a zero-day flaw in attacks in the wild, usually such kind of attacks are attributed to state-sponsored hackers or APT groups, once the flaw is publicly disclosed the code for its exploitation is included in any exploit kit by the authors.


Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.