Cisco: Blackhole arrest cuts exploit-kit traffic, but don't let your guard down

Many packages are vying to take the popular kit's place, and security threats still abound, report says

Exploit kits of cybercrime tools fell into a big slump in the first half of this year after Russian authorities nabbed the alleged creator of the popular Blackhole kit, but users aren't necessarily safer.

Blackhole so dominated the shadowy market for exploit kits, or bundles of code for taking advantage of known software vulnerabilities, that the number of URL requests associated with exploit kits fell by 87 percent in the first half, according to the Cisco 2014 Midyear Security Report. The report was released on Tuesday during the Black Hat security conference in Las Vegas.

The report, which combines findings from Jan. 1 through June 30 by various security divisions of Cisco Systems, painted a fairly grim picture overall: One statistic, based on observations of 16 enterprise networks, showed that nearly 94 percent of them had Web traffic go to malware sites, the company said. The company's annual security report last December found that 100 percent of observed enterprises -- 30 enterprises, in that case -- had malware traffic. The report also found a marked increase in attacks against media companies.

Blackhole was linked to numerous cyber attacks until its alleged author, who used the nickname Paunch, was arrested last October. There were many exploit kits based on Blackhole, but activity around those has died down since Paunch's arrest. In the meantime, many different kits have been vying for hackers' attention, said Levi Gunder, a technical team leader at Cisco. Exploit-kit creators compete much like makers of any product do, on features (such as how many exploits are included) and customer service, he said.

"There will be a new market leader in the underground," Gunder said. "I think it's just a matter of time before another Blackhole ... emerges and claims dominance."

For the midyear report, Cisco's SourceFire Vulnerability Research Team (VRT) analyzed URL requests on the Internet to determine if the code that generated them came from a known exploit kit. The sharp decline in exploit kit identifications may not mean less malware is out there, Gunder warned. For one thing, some kits are harder to recognize than others. For example, the Sweet Orange kit uses a new pattern every day to create URLs for the rogue pages where it sends victims. "It's very difficult to track from the typical indicators we've used in the past," he said.

Web users frequently get redirected to malware sites by code built into online display ads, which can hijack a browser even if the user never clicks on the malicious ad, Gunder said. Often, the bad site appears briefly as a blank white page. But in the meantime, it will load malware on the user's system that can do just about anything if the computer doesn't have up-to-date protections installed, he said.

Between 5 percent and 10 percent of all enterprise Web traffic involves so-called malvertising, judging by results from Cisco's CWS (Cloud Web Security) service. CWS analyzes all Web requests from customers around the world who want their traffic monitored for security reasons. CWS looked at 2 billion to 3 billion Web requests, Gunder said.

"This stuff is just rampant," he said. Purveyors of malicious ads buy their way onto legitimate sites through the same exchanges that distribute ordinary ads, paying to have their spots appear every few times the page is shown to a user, Gunder said. The exchanges try to prevent this, but it's hard because there's nothing malicious about the ads themselves, just the URLs that they send visitors to.

"What the evidence shows to date is, they have not been very successful in doing that," he said.

When hackers look for ways to attack, they usually go after Java, especially older versions of the architecture. Of all the indicators that computers had been compromised in the first half of the year, 93 percent pointed to a Java vulnerability, Cisco found. That was up from 91 percent in the previous six months.

Java is the target of choice because so many consumers and businesses use it, especially in browsers, and most don't update it when they need to, Gunder said. Those who do will get redirected to malicious sites just like anyone else, but their systems won't be compromised.

While updating Java is easy for consumers as long as they notice alerts of new versions, it can be more complicated for enterprises, Gunder said. They may have built complex and critical applications based on Java and can't quickly modify that code to run on the new version. It may take six months just to draft a migration plan, while more Java updates in response to new threats are likely to come in the meantime, he said. To help mitigate the dangers, Gunder advised enterprises to closely watch the Web traffic exiting their networks for evidence of exploitation.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityblack hatCisco Systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?