What are Exploits: Types & Examples in Cybersecurity

Although the nature of exploits is, perhaps, self-explanatory, in this article we will take a deeper dive into their types and various applications. As the term suggests, to “exploit” something is to extract benefit from using said thing. In computer science, an exploit can be a piece of software, a chunk of data, or a sequence of commands, which is used intentionally by hackers to take advantage of bugs or vulnerabilities found in computer software, hardware, or IoTs. Exploit attacks come in a variety of shapes and sizes as we will see further.

• How does an exploit work?
  • Are exploits a form of malware?
  • What is the difference between an exploit and a vulnerability?
• What are exploits used for?
• Exploit examples
• Evolution of exploits
• How do exploits occur?
  • What is an exploit kit?
• How to recognize a computer exploit attack?
• How to fix an exploit?
• How to keep your computer safe and check for exploits?
• Conclusion
• FAQ
  • What kinds of exploits do hackers use?
  • How are exploits delivered?
  • What is an example of an exploit kit?
  • What do exploit kits do?
  • What is an example of a zero-day exploit?
  • How do exploits relate to vulnerabilities?

How does an exploit work?

There exist a few attack vectors that adversaries can choose from. One of these is to lure a victim onto a malicious website that contains an exploit kit. In this scenario, the kit quietly scans the target device for any unpatched vulnerabilities and applies several exploits to break into the machine. The exploit may be targeted at any one specific vulnerability or even several vulnerabilities simultaneously and may come on the form of a piece of code or a set of specially crafted instructions.

Exploit kits are capable of extracting a wide range of information about a device such as the browser plug-ins used, installed application, and even the operating system running on the device. These kits are relentless at sifting through all device components in search for a vulnerability to exploit. Even though exploit kits are generally hosted online, once they find a vulnerability to breach, they can easily deploy malware locally to the target device.

Another way to launch an exploit attack is to spread a code across a network. The task of the code is the same — to seek out vulnerable points like the EternalBlue and BlueKeep vulnerabilities. The scary thing about these vulnerabilities is that they operate completely autonomously, i.e., no user interaction is required at all — the user can be away doing whatever while the exploits are getting down and dirty with their device.

The merit of this attack vector for adversaries is pretty straightforward — it is a very efficient way to grow and expand botnets in preparation for a bigger distributed denial of service attack on a third party mobile or web application. One such botnet is the notorious Mirai.

Alas, the primary candidates for exploit attacks are the popular systems such as Java, Adobe Flash Player, MS Silverlight, and Runtime Environment. Another easy target for exploit kits is any outdated software. Although constant software updates seem like a nuisance, they generally tend to be aimed at “patching” or fixing existing security gaps, so the importance of installing new updated should never be overlooked.

Are exploits a form of malware?

In short — no, but they are a subset of malware. Malware is a term derived from the words malicious and software, so malcontent is inherent to its design. Malware can be a file, program or string of code used for malicious activity, such as cause damage to devices, demand ransom, and steal sensitive data. On the other hand, an exploit can be a piece of code or a program that takes advantage of a weakness (vulnerability) in an application or system. This, in itself, is not malicious, but may be used for evil purposes nonetheless.

Let’s visualize a simple scenario where a house is your digital environment, the walls, doors, and windows are your cybersecurity perimeter, a hooded individual sneaking nearby your property is a threat actor, and in his hand he has malware, in this case, a stink-bomb, which he has attached to a programmable drone — the exploit. The threat actor programs the drone to fly around the building and seek out open windows or doors to fly into and release the stink-bomb. If all your doors and windows are closed, the drone is going to have a hard time delivering the package.

However, say, one night you forget to lock your front door or leave a window open by mistake, this creates an opportunity for the drone to chuck the stinky surprise through the opening. Thus, the drone merely found and exploited a weakness in your perimeter to deliver the nasty stench, but the drone itself is not the source of the terrible smell in your house.

So, as we see from this short example, an exploit is simply a scouting device. Again, nothing inherently evil about it, but it could lead to much bigger problems, ergo it would definitely help to have your perimeter airtight with all vulnerabilities patched up.

What is the difference between an exploit and a vulnerability?

Now, let us see how an exploit differs from a vulnerability. Similar to exploits vs. malware, exploits and vulnerabilities come off as closely linked, but although they are related in away, they are not one and the same.

As we saw in the above example, a vulnerability is a weakness or a gap, which could be abused to deliver a malicious payload to a target computer system. Not all vulnerabilities can be exploited, however — even if a vulnerability is not fixed or patched, it may be blocked by other cybersecurity systems.

In computing, an exploit generally refers to an attack that uses a known vulnerability to cause unexpected effects in a target system via the delivery of malware or the escalation of privileges. Note that the presence of a vulnerability does not necessarily mean imminent danger until an exploit is created for it, and there is no doubt that it will happen sooner or later. According to the SAP vendor report, users are attacked, on average, 72 hours after the release of the newest update that mitigates a particular vulnerability.

According to researchers, as soon as updates become available, hackers begin to reverse engineer them in order to obtain data on a closed fresh vulnerability and develop an exploit for it.

What are exploits used for?

Adversaries never take a sick day. Their main goal is personal gain, and they are never short of tools and ideas to capitalize on. Their activities include extortion through ransomware, sale of sensitive data on the darknet, or DDoS attacks carried out as a service in unfair market competition.

Exploits, in this case, are the go-to tool for adversaries to find vulnerabilities and get a foothold in the target computer system, and subsequently deliver ransomware, escalate privileges, and infect appliances that have access to the Internet.

Exploit examples

Log4Shell

Researcher Chen Zhaojun from Alibaba Cloud Security discovered a critical RCE vulnerability (CVE-2021-44228) in the popular Apache Log4j2 logging framework. The vulnerability, dubbed Log4Shell, allows an attacker to execute arbitrary code on a remote server and is contained in Apache Log4j2 versions 2.0-beta9 to 2.14.1.

Spring4Shell

Just as the world was recovering from Apache Log4j2 (CVE-2021-44228), more new 0-day vulnerabilities were reported online. Several zero-day vulnerabilities were found in Spring Framework for Java, allowing to execute arbitrary code (RCE).

The identified gaps so far include i) RCE in the Spring Cloud Function library (CVE-2022-22963), the vulnerability is valid for library versions up to 3.2.3; ii) Mid-level vulnerability that can trigger a DoS state (CVE-2022-22950), relevant to Spring Framework versions 5.3.0 through 5.3.16; iii) Spring4Shell in Spring Core---class implementation vulnerability for RCE exploitation ( CVE ID has not yet been assigned).

ProxyShell

According to Palo Alto analytics, among the most exploited network access vulnerabilities in the first half of 2022, researchers singled out the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), which accounted for up to 55% of all reported incidents.

Evolution of exploits

The table below lays out the evolution timeline of exploits.

Before 2006

• 2003 — The Blaster worm is used to exploit network vulnerabilities.
• Bot worms were quickly adapted to newly published exploits.
• Windows Metafile vulnerability (WMF) became the exploits of choice to target client-side vulnerabilities to deliver malware to vulnerable systems.

2007

• First exploits designed to target software vulnerabilities in widely used applications, such as multimedia players, office applications, and security programs.

2008

• Cybercriminals employ automated tools to seek out vulnerabilities that target poorly configured pages and websites.
• New prevailing trend in application vulnerabilities, i.e., SQL injection, cross-site scripting, etc.

2009

• Specific platforms targeted through customized attacks . Cybercriminals introduced browser and OS detections into their attacks and allowed exploits to run on targeted platforms.
• Mobile app vulnerabilities become targets.

2010

• Emerging new trend: compromised websites and drive-by attacks.
• Vulnerability exploits used by Stuxnet as part of its routine attacks against SCADA systems.

2011

• Mass SQL injection attacks target millions of web pages.
• Some new apps were found exploiting mobile vulnerabilities.

2012

• Cybercriminals refine the Blackhole Exploit Kit, which was used in phishing attacks.
• Java became a magnet for exploit attack, prompting the information security industry to curtail its use.

2013

• “Retired” software that no longer received support from its vendors are prime targets, hitting Plesk software older than Parallels Plesk Panel 9.5 and Java 6.

2014

• Several vulnerabilities in open-source were uncovered, including Shellshock, Heartbleed, and Poodle

2015

• The Hacking Team breach helped discover several 0-day vulnerabilities in Adobe, Windows, and Java.
• The same vulnerable platforms are also targeted using other zero-days in Pawn Storm.

2016

• Cybercriminals and security researchers discover exploits in smart devices, such as cars, toys, and home security systems.

How do exploits occur?

Exploits are caused by flaws in the software development process that result in vulnerabilities in the software protection system, which are successfully exploited by cybercriminals to gain unlimited access to the program itself, and through it, to the entire computer. Exploits are classified according to the type of vulnerability used by the hacker: zero-day, DoS, spoofing or XXS. But exploits generally occur in three ways:

Remote exploits operate across a network to target a certain vulnerability without prior access to the host system.

Local exploits require initial access to the vulnerable system to escalate the privileges of the attacker above those allowed by the administrator

Client exploits exist and consist of mostly modified servers that send an exploit attack when accessed with a client application. These may also require additional actions from the user, usually associated with phishing or spear phishing attacks.

What is an exploit kit?

Exploits are typically delivered in so-called packages containing multiple exploits for different vulnerabilities.

This package is used to identify the software installed on the victim computer, to match it against the exploit lists in the package, and to deploy the appropriate computer exploit tool if one of the installed applications is vulnerable.

How to recognize a computer exploit attack?

Since exploits target weaknesses in software security mechanisms, the average user has almost no chance of detecting their presence. The best indicators to look out for would be:

• Slow performance
• Frequent crashes and freezes
• Suspicious changes to the settings
• Many pop-ups
• Loss of storage space

This is why it is extremely important to maintain installed software up-to-date, especially to install security updates released by software developers on time. If a software developer releases a security update to fix a known vulnerability in their software, but the user does not install it, unfortunately the program will not get the latest virus intel it needs.

How to fix an exploit?

Since exploits are the consequence of vulnerabilities, it is the direct responsibility of the developers to fix them, so it will be up to the vendors to prepare and send out bug fixes. Nevertheless, it is entirely the responsibility of the program's user to keep the installed programs updated and to install service packs on time, so as not to give hackers any chances to take advantage of the vulnerabilities. One possible way not to miss the latest updates is to use an application manager, which will make sure that all installed programs are up-to-date, or - even better - to use an automatic update finder and installer.

How to keep your computer safe and check for exploits?

• Make sure you install the latest security updates and patches for all programs.
• To stay safe online, install all updates as soon as they're released.
• Install and use a premium antivirus that can automatically update your installed programs.

Conclusion

As mentioned above, exploits are a subset of malware, but they are not detected by all defenses. For successful detection, a protection solution must use behavioral analysis, which is the only reliable method of combating exploits. Malware can be numerous and varied, but most of them share similar behavioral traits.

FAQ

What kinds of exploits do hackers use?

Exploits are classified according to the type of vulnerability used by the hacker: zero-day, DoS, spoofing or XXS. Thus, hackers approach their exploit attacks accordingly.

How are exploits delivered?

Typically, exploit attacks rely on outdated systems, unpatched vulnerabilities, and interaction from the user. The latter includes prompting victims to visit a specially-crafted website that already contains an exploit kit. Once an unsuspecting user opens the website, the exploit kit gets to work secretly scanning their device in search for weaknesses on the basis of which the attack is developed further.

What is an example of an exploit kit?

Of the more popular exploits is the infamous Blackhole exploit kit known for drive-by download attacks dating as far back as 2010. Cybercriminals would booby-trap some insecure website. This exposed legitimate website users to unintentional downloads of malware (usually ransomware).

What do exploit kits do?

Exploit kits are utilities designed to identify vulnerabilities in targeted systems. Generally, an exploit is a piece of code crafted for a specific vulnerability. Similarly, an exploit kit combines several methods and approaches to detecting vulnerabilities into one, which, ultimately, provides a better range and versatility to an attack.

What is an example of a zero-day exploit?

Zero-day exploit is a method used by cybercriminals to attack systems with previously undetected vulnerabilities. One famous example is the zero-day in a popular video conferencing platform Zoom. This zero-day attack allowed attackers to gain remote access to users' computers that ran older versions of Windows. If the attack was aimed at an administrator, hackers could seize complete control of their computer and access any of its files.

How do exploits relate to vulnerabilities?

In effect, exploits are programmed utilities intended to detect specific types of vulnerabilities. The more exploits involved in an attack, the greater the chance for criminals to identify at least one weakness in the target system.