New exploit kit concentrates on Java flaws
Posted on 05 March 2013.
Webroot's Dancho Danchev is known for combing through the wilds of the Internet for places where cyber criminals congregate and reporting back with interesting news about tools and services offered for sale.

Among those is a brand new exploit kit that, for now, concentrates only on exploiting Java flaws. The vulnerabilities in questions are CVE-2012-1723 and CVE-2013-0431, but more exploits are to be added soon, say its creators.

Cyber crooks can rent the kit for 24 hours, a week or a month, paying respectively $40, $150 and $450 for the service. But, is it worth it?

The infection rate for a campaign using this kit is 9.5 percent, which is considerably lower than that promised by sellers of more popular - and versatile - exploit kits.

In terms of innovation, there's not much to note.

"For the time being, customers can choose whether they want to manually rotate the client-side exploits serving domains/IPs, or whether they’d want the cybercriminals selling the kit to do it for them as a managed service. Customers of the exploit kit will also receive notifications one their domains start getting detected by security vendors, through the Domain Check service," says Danchev.

"Naturally, the cybercriminals behind the exploit kit are outsourcing the entire process instead of building the capability in-house. Also, for the time being, the exploit kit can only be rented on bullet proof servers operated by the cybercriminals pitching it, but if customers want to use it on their own servers, they would have to personally request this from the vendor."

He doubts that the kit's developers will have much success, especially because Java vulnerabilities have lately been big news and users - both home and enterprise ones - have been repeatedly advised to disable Java for the time being.


How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals it’s our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Sep 19th