The company said that in the two previous years — 2015 and 2016 — Flash had been the main avenue for exploits in the samples it studied. But Microsoft's products surged back to the top last year.
"In 2017, seven of the top 10 vulnerabilities exploited targeted Microsoft products, with the remaining three targeting Flash. This is a steep decline from previous years – Flash accounted for six of the top 10 in 2016, and eight in 2015," it said.
The main findings in the vulnerability study for 2017 were:
- Microsoft products provided seven of the top 10 vulnerability exploits adopted by exploit kits and phishing campaigns.
- For the first time, three vulnerabilities remained on the list from one year to the next. For example, the top exploited vulnerability from 2016, CVE-2016-0189 in Microsoft’s Internet Explorer, remained a popular inroad for criminals. Dark Web conversations highlighted a lack of new and effective browser exploits.
- In 2017, exploit kits saw a 62% decline in development. Only a few exploit kits, including AKBuilder, Disdain, and Terror saw significant activity. Multiple factors, including more specific victim targeting, shifts to more secure browsers, and a rise in cryptocurrency mining malware are likely to have caused the decline.
- Dark Web forums and marketplaces continued to offer high and low-quality exploit kit options, with prices ranging from US$80 per day for services, to US$25,000 for full source-code access. Exploit builders for top-ranked Microsoft Office vulnerability CVE-2017-0199 ranged from US$400 to US$800 in 2017.
"This comes as cryptocurrency mining malware popularity rose in the past year. Profiting from cryptocurrency mining has its advantages, including less time spent on collecting victim ransomware payments and the avoidance of rising bitcoin transaction fees."
The most commonly observed vulnerability that came under attack was CVE-2017-0199 which affects many Microsoft Office products and allows attackers to download and execute a Visual Basic script containing Powershell commands from a malicious document.
There were numerous malware that took advantage of this vulnerability: Latentbot, Microsoft Word Intruder, Hancitor, Dridex, FinFisher, Silent Doc Exploit, REMCOS, PoohMilk, Freenki, FreeMilk and Cerber.
The study can be downloaded here after registration.
Update: The original headline on this article said "Windows top target for cyber criminals in 2017: study". It has been changed to reflect the fact that Microsoft products were the top target, not only Windows.