Sun to set on BEPS/Sundown exploit kit?
On February 13, 2017, the security researcher David Montenegro (@CryptoInsane) posted a series of tweets claiming that the source code for the BEPS exploit kit had been leaked online. Montenegro’s posts were accompanied by screenshots which showed a log file purportedly taken from the dump, which featured references to the actor "Kriminalac" and the Yugoslavian Business Network (YBN).
BEPS and the Sundown exploit kit are commonly referred to interchangeably and we have previously assessed that these two kits are likely the same. This leak was also acknowledged by the user @666_KingCobra, who has previously claimed to be the creator and operator of the Terror exploit kit, an exploit kit that closely imitated Sundown.
What was leaked?
@666_KingCobra claims the leak includes exploit kit source code, control panel data, and exploit code for a number of vulnerabilities. This user also claimed that the kit was, at the time of posting, hosted on 188[.]209[.]49[.]98. In addition to these claims, on February 11, 2017 a thread was created on the criminal forum Hack Forums claiming that the source code for the BEPS exploit kit had been leaked and warning other users to treat offers of paid access to exploit kits with caution. Again on February 11, 2017, a listing on the dark web criminal marketplace AlphaBay offering the code for sale was also detected (shown in Figure 1). Based on the identification of three independent sources who all made consistent claims, it was assessed to be probable that the genuine BEPS source code has indeed been made publicly available online.
Figure 1 - AlphaBay listing for the BEPS source code and exploits.
Nobody said it was easy
Towards the end of 2016, it was clear that threat actors were drawn to using the Mirai botnet source code - but required technical help to actually make use of it (See Motherboard’s “Wannabe Hackers Are Willing to Pay To Learn How To Use the Mirai Botnet”). Following the release of the BEPS (Sundown) exploit kit source code, a similar phenomenon is occurring. Figures 2 and 3 are posts that have emerged on Hack Forums of people seeking help with the exploit kit source code.
Figure 2 – A user seeking helping in exchange for a list of emails and exploits. Screenshot taken on February 20, 2017
Figure 3 – A user claiming to have the file, but seeking help with installation. Screenshot taken on February 20, 2017
It is probable that the majority of actors who attempt to use this source code will not be successful in their attempts to operationalize the exploit kit. Examinations of other exploit kit operations has indicated that significant logistical support is required for success, as threat actors must obtain a continuous flow of victim traffic to landing pages, as well as a supply of domains to actually host landing pages. Kit operators must also develop or obtain exploit code in order to improve their exploit kit's capability if they wish to remain competitive in the marketplace.
These challenges are likely to represent significant obstacles for threat actors who do not already have access to the resources and access necessary to secure this logistical support.
This development was also considered likely to have a significant impact on the operators of the BEPS/Sundown exploit kit, as it will likely both impact user trust in this criminal service and force the kit’s operators to invest time and resources into development new exploit and updating their source code.
The availability of the BEPS/Sundown source code is likely to have a significant impact on the exploit kits operators. It will likely impact both user trust in this criminal service and force the operators to invest time differentiating their source code and developing new exploits.
This will likely have the effect, at least in the short term, of further contracting the exploit kit landscape, which shrank significantly in 2016 as a result of the disappearance of Angler and Neutrino. Other than Sundown, only the RIG exploit kit and Magnitude have remained significantly active into 2017. At the time of writing the vast majority of exploit kit traffic was linked with various version of RIG, indicating that this kit will likely continue to dominate the exploit kit space in the future, barring a disruption to its operations.
To learn about other exploit kit payloads, features and common vulnerabilities, download our research report: In the Business of Exploitation.