How Attackers Use a Flash Exploit to Distribute Crimeware and Other Malware

May 27, 2016 | Patrick Bedwell
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Background

Adobe Flash is multimedia software that runs on more than 1 billion systems worldwide. Its long list of security vulnerabilities and huge market presence make it a ‘target-rich environment’ for attackers to exploit. According to Recorded Future, from January 1, 2015 to September 30, 2015, Adobe Flash Player comprised eight of the top 10 vulnerabilities leveraged by exploit kits.

Here is an illustration of just how quickly bad actors can deploy an exploit:

  • May 8 2016: FireEye discovers a new exploit targeting an unknown vulnerability in Flash and reports it to Adobe.
  • May 10 , 2016: Adobe announces a new critical vulnerability (CVE-2016-4117) that affect Windows, Macintosh, Linux, and Chrome OS
  • May 12, 2016: Adobe issues a patch for the new vulnerability (APSB16-15)
  • May 25, 2016: Malwarebytes Labs documents a 'malvertising' gang using this exploit to compromise your system via distribution of malware well-known websites and avoid detection

The Malwarebytes blog is a good read, as it provides several examples of how sophisticated malware distribution schemes have become. For example, it breaks down the malicious elements of a rogue advertising banner that the Flash exploit allows attackers to use to push out malware. Among other things, it runs a series of checks to see if the targeted system is running packet analyzers and security technology, to ensure that it only directs legitimate vulnerable systems to the Angler Exploit Kit.

flash vulnerabilities
“The ‘dirty’ version of an ad banner showing its real intent” Source: Malwarebytes

Impact on you

With over 1 billion systems running Adobe Flash, it is likely that one or more systems under your control are vulnerable to this exploit. Fortunately, there is a fix to patch the vulnerability. Unfortunately, according to Adobe, it takes 6 weeks for more than 400 million systems to update to a new version of Flash Player. Six weeks (or however long it takes you to patch Flash) is a long time to be at risk of being compromised by ransomware via the Angler EK.

How AlienVault Helps

The AlienVault Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the the latest threats, and how to detect and respond to them. The Labs team regularly updates the rulesets that drive the threat detection, prioritization, and response capabilities of the AlienVault Unified Security Management (USM) platform, to keep you up to date with new and evolving threats.

The AlienVault Labs team recently updated the USM platform’s ability to detect this new Adobe Flash vulnerability by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a compromised system.

  • Emerging Threat - Adobe Flash Uncompressed Possible (CVE-2016-4117)

A critical vulnerability, CVE-2016-4117, exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. If an attacker successfully exploits this vulnerability, they could crash the system, or potentially take control. Adobe has released an update to patch this vulnerability.

  • We've added IDS signatures and created the following correlation rule to detect CVE-2016-4117:

Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Uncompressed Possible (CVE-2016-4117)

For more information on a wide range of Flash vulnerabilities, exploit kits, and other malware, visit the AlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed.

Also, the integration between our Open Threat Exchange (OTX) and your USM deployment means that you get alerted whenever indicators of compromise (IOCs) being discussed in OTX are present in your network. The result is that USM customers are up to date on the latest threat vectors, attacker techniques and defenses.

These updates are also included in the latest AlienVault Threat Intelligence update available now for USM users. Lastly, visit the AlienVault Forums to keep up to date on the latest threat intelligence updates, product news, and engage with your fellow Aliens!

Patrick Bedwell

About the Author: Patrick Bedwell

Patrick has been working in information security for over 17 years, creating and executing marketing strategies for both startups and public companies.

Read more posts from Patrick Bedwell ›

TAGS: malware, usm, flash

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial