Flash Targeted by Zero-Day ExploitCrimeware Kit Targets Bug; Adobe Confirms Vulnerability
In-the-wild attacks are reportedly targeting a zero-day vulnerability in the Adobe Flash browser plug-in, which is used for online vector graphics, animation, games and delivering rich Internet applications. While numerous versions of Internet Explorer are reportedly under attack, Google Chrome is apparently unaffected by the flaw.
The previously unknown Flash flaw that's being exploited by attackers was first spotted by "Kafeine," the security researcher behind the "Malware Don't Need Coffee" blog. He reports that the bug, which appears to be present in Flash Player 22.214.171.1247 and earlier versions, is being targeted by some versions of the Angler exploit kit.
Kafeine reports that the Angler kit's exploit appears to work against all versions of Internet Explorer that run in Windows XP, as well as against Windows 7 and Internet Explorer 8, and Windows 8 - including the Windows RT mobile edition. The Flash plug-in running in Mozilla's Firefox browser is also at risk, SANS Institute warns. But the Flash flaw doesn't appear to pose a risk to users of either Windows 8.1 or the Google Chrome browser.
Responding to that report, Adobe confirms that the flaw - CVE-2015-0311 - exists in the Windows, Mac and Linux versions of Flash Player, and says it plans to release a related fix during the week of Jan. 26. Adobe has labeled the flaw as "critical," meaning it could be exploited by an attacker to run malware on a targeted machine. That warning comes less than 24 hours after Adobe released an emergency fix for Flash to address a different, "memory randomization" zero-day vulnerability - CVE-2015-0310 - that the company says "is being used in attacks against older versions of Flash Player."
Pending a patch, security experts say the flaw can be mitigated by uninstalling - perhaps temporarily - the Adobe Flash plug-in.
Angler Exploit Kit
Attackers often use crimeware such as Angler to seize control of a system and then grab sensitive data - including financial account details - as well as press the system into service as a botnet node, or "zombie." These zombies can then be used to relay spam, distribute malware or launch distributed denial-of-service attacks.
"The 'Angler' exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware," Johannes B. Ullrich, dean of research for the SANS Technology Institute, says in a blog post. "The exploit kit is very flexible and new exploits are added to it constantly."
But it's unusual to find a valuable zero-day vulnerability built into an exploit kit. "Typically we see these exploits more in targeted attacks, not in widely used exploit kits," Ullrich says. "This flaw could affect a large number of users very quickly."
Symantec reports that the Angler exploit kit attacks that it's seen exploiting the zero-day Flash flaw appear to be using a malicious Adobe flash file - ending with the SWF extension - that is a version of the "Swifi" Trojan horse, which dates back to 2009. "Symantec regards this vulnerability as critical because Adobe Flash Player is widely used and the flaw allows an attacker to effectively compromise a host, which then allows for the unauthorized installation of malware," the company says. Swifi can serve as a "dropper," which can then download and run additional malicious components of an attacker's choosing.
JÃ©rÃ´me Segura, senior security researcher at anti-malware software vendor Malwarebytes, notes in a blog post that Angler appears to be exploiting the Flash flaw to install the Bedep "distribution botnet" malware, as part of a click-advertising fraud campaign. That refers to malware on infected systems being used to make "bogus requests" for online advertising, without the malware revealing its presence to the user of the infected system.
"Unfortunately it is very hard to tell apart real users from fake ones, and advertisers essentially end up paying for 'impressions' or 'clicks' where a human being was never involved," Segura says.
While the majority of attacks targeting Web browser plug-ins have typically targeted known Java flaws, Segura says that in recent months, a spate of critical vulnerabilities in Flash have drawn attackers' attention, making it now "the most exploited plug-in."
Angler Grows More Popular
Angler's popularity has also been growing in recent months, owing to a decision by its author - or authors - "to eliminate the requirement of downloading a Windows executable to deliver malware," security researchers at Cisco write in a new report.
Instead, the crimeware can exploit systems via vulnerabilities in such browser plug-ins as Flash, Java and Silverlight, as well as the IE browser itself. "Once the exploit is triggered, the malware payload is written directly into memory ... instead of being written to a disk," Cisco says. "The payload delivered by Angler looks like a blob of encrypted data, which makes it harder to identify and block."