Anti-Malware , Cybersecurity , Risk Management

Zero-Day Exploit Alert: Flash, Java

More Hacking Team Flash Exploits, Plus Java APT Attack
Zero-Day Exploit Alert: Flash, Java

(Editor's Note: This story has been updated.)

Zero-day exploits have been discovered in the wild, targeting new flaws in both Flash and Java.

See Also: Secure Access in a Hybrid IT World

Following the hack attack against Italian surveillance software maker Hacking Team, security experts say they have found exploits for two more zero-day bugs in Flash among the information leaked from the spyware manufacturer. Attackers are reportedly already targeting at least one of those vulnerabilities via crimeware toolkits to make their malware drive-by attacks more effective.

On July 14, Adobe released Flash version 18.0.0.209, which includes fixes for those flaws.

Not related to the Hacking Team hack, security researchers have also found that an advanced persistent threat group - that appears to be sponsored by the Russian government - has been targeting a new zero-day vulnerability in the latest version of the Java 8 Web browser plug-in. Oracle released an update to patch that flaw July 14, and security experts recommend updating immediately, since cybercriminals could soon adopt an exploit for the flaw for their own attacks.

More Flash Flaws

Adobe has confirmed the existence of two new "critical" Flash zero-day flaws in Adobe Flash Player 18.0.0.204 - and earlier versions - for Windows, Mac OS X and Linux. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," it says.

All Flash users should immediately upgrade to the latest version, which patches the flaws. That's because by exploiting the flaws, "an attacker can execute arbitrary code in the context of the user running Flash Player," US-CERT warns. "Attacks typically involve enticing a user to visit a website containing specially crafted Flash content, or to open a specially crafted Microsoft Office document."

Security experts say the two new flaws have been found in the cache of stolen information that was dumped earlier this month from Hacking Team (see Spyware Vendor Alert: Suspend Software). The discovery of the new exploits follows the earlier discovery of an exploit for another Flash flaw - CVE-2015-5119 - that was also found in the Hacking Team data dump. That exploit was quickly adopted by at least three exploit kit makers and has been seen in active in-the-wild attacks, although Adobe did recently update Flash to address that flaw (see Hacking Team Zero-Day Attack Hits Flash).

Of the two new zero-day Flash flaws found since then, threat-intelligence firm FireEye discovered the first in the Hacking Team dump, reports FireEye security researcher Dhanesh Kizhakkinan in a blog post.

The bug, CVE-2015-5122, is a "use after free" vulnerability, referring to a type of memory corruption flaw that attackers can abuse to execute arbitrary code on a machine, US-CERT says. And Kafeine, the handle of the French researcher who maintains the "Malware Don't Need Coffee" blog, says in a blog post that the exploit has already been added to the open source Metasploit penetration-testing framework, as well as to four exploit kits, and is being used by cybercriminals for in-the-wild attacks.

The second newly discovered zero-day Flash flaw - CVE-2015-5123 - was also found in the Hacking Team data leak, Trend Micro security researcher Peter Pi says in a blog post, adding that the security firm reported the flaw to Adobe. "This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited," he says. "It affects all versions of Adobe Flash in Windows, Mac and Linux."

Multiple security experts have reported that this flaw is quite similar to the other two Flash flaws found via the Hacking Team dump, and involves crashing the Flash Player, after which attackers can execute code and compromise a machine. They also warn that exploit kits will likely soon also begin tapping this latest vulnerability to compromise systems.

Flash a Target

This has been a bad year for users of Adobe Flash, which has been targeted by multiple zero-day attacks targeting newly discovered flaws in the browser plug-in (see Adobe Flash Is Under Attack - Again).

To better safeguard users, some security experts are calling for Adobe to shut down older versions of Flash. Via Twitter, for example, Alex Stamos, Facebook's chief security officer, has urged Adobe to begin using the killbit feature built into Windows - which can be used to prohibit an ActiveX control from ever launching - to force older versions of Flash to expire.

New Java Zero Day

Beyond the newly patched Flash flaws, Trend Micro also reports that it has discovered a new vulnerability - CVE-2015-2590 - in the latest version of Java. "This is the first time in nearly two years that a new Java zero-day vulnerability was reported," the security firm says in a blog post.

"Note that this zero-day exploit is not part of the recent slew of vulnerabilities related to the Hacking Team leak," it adds. "The group behind Operation Pawn Storm is using the Java zero-day exploit as part of their campaign."

Operation Pawn Storm refers to a cyber-espionage campaign that appears to have been launched in 2007 (see Espionage Hacks Tied to Russians). FireEye, which has also been tracking this advanced persistent threat attack group - which it calls APT28 - said in a 2014 report that the group focuses on amassing "intelligence on defense and geopolitical issues," and that it has found "evidence of long-standing, focused operations that indicate a government sponsor - specifically, a government based in Moscow."

If the newly discovered Java flaw gets successfully exploited, Trend Micro says the attack then proceeds by executing a Trojan downloader, which downloads and installs at least two pieces of malware to give attackers full access to the compromised machine.

The Java zero-day exploit has been used in phishing attacks that have targeted a U.S. defense organization, as well as another NATO member country's armed forces, both of which Trend Micro declined to name. The vulnerability affected the previous version of Java 8 - Java version 1.8.0.45 - but no versions of Java 6 or Java 7, Trend Micro says.

Oracle has now patched the Java 8 flaw via its "critical patch update" for July 2015. "Users running Java SE with a browser can download the latest release from http://java.com," Oracle says. "Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release." In total, the critical patch update contained 25 new security fixes for Oracle Java SE, most of which could be remotely exploited without authentication - no username or password required - Oracle warns.

Ongoing Cyber-Espionage Attacks

These are not the only attacks that have been recently tied to the gang behind Operation Pawn Storm. In February, Trend Micro reported that the same attack group had been using a malicious iOS app - that could only infect jailbroken devices - against targets. In April, meanwhile, Trend Micro tied the attack group to an attack infrastructure that was targeting the White House and North Atlantic Treaty Organization members, including the Polish government, in part by using Sednit - a.k.a. Sofacy - malware.

"Pawn Storm also targeted other nation-state organizations using political events and meetings such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014 as part of its social engineering tactics," Trend Micro says. Beyond the military and government targets, the group has also been tied to attacks against media organizations and defense contractors, the company reports.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network