Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Adobe Flash Is Under Attack - Again

Crimeware Targets New Zero-Day Bug in Browser Plug-In
Adobe Flash Is Under Attack - Again

In-the-wild attacks are exploiting yet another newly discovered zero-day vulnerability in the latest version of Adobe's Flash plug-in for Web browsers, reports anti-virus vendor Trend Micro. It's the third time in recent weeks that researchers have discovered a new flaw in Flash after tracing back in-the-wild attacks that exploit it.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The latest zero-day flaw has been used in a hacking campaign that involves so-called malvertising attacks, which inject malicious code into otherwise legitimate advertising networks, Trend Micro reports.

"Our initial analysis suggests that this [campaign] might have been executed through the use of the Angler Exploit Kit," Peter Pi, a threat analyst at Trend Micro, says in a blog post. Angler is a crimeware toolkit that is designed to target known vulnerabilities in browsers to take control of a system. Such toolkits may also include exploits for vulnerabilities that have not been publicly disclosed - and for which no anti-virus signatures are yet available - which increases the likelihood of the attack succeeding.

Criminals often use crimeware to raid systems for sensitive financial information, as well as to press them into service as a bot or "zombie" in a network of infected PCs. Such botnets are often used to distribute malware, relay spam or launch distributed denial-of-service attacks.

Adobe, in a Feb. 2 advisory, confirms that the bug exists, and says it plans to issue a related patch before Feb. 6. "A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player and earlier versions for Windows and Macintosh," Adobe's security advisory warns. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below."

Adobe credits Trend Micro's Pi, as well as two researchers from Microsoft, with discovering the flaw.

Advertising Platform Hacked

Trend Micro says it first began to see signs of this attack campaign on Jan. 14, and then "saw a spike in the hits to the IP related to the malicious URL around Jan. 27," Pi says. Most of the infected PCs - Trend Micro has counted more than 3,000 to date - appear to be based in the United States. But the vulnerability may be getting exploited in hack-attack or malvertising campaigns that have yet to be spotted. "With an attack already seen in the wild, it's likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," Pi says.

Trend Micro says the malvertising attack snared users of the popular video-sharing website, who were then redirected to a site where the actual exploit was served via a drive-by attack. But Trend Micro notes that the exploit has likely been served at other sites beyond Dailymotion, which is one of the world's largest video-sharing websites. As of Feb. 2, the site was hosting multiple videos from the 2015 Super Bowl, which aired the previous day, including the halftime show featuring singer Katy Perry.

Pi emphasizes that attackers appear to have injected malicious code into a third-party advertising network, or else listed an advertisement that includes the redirect to the malicious website. "It is important to note that infection happens automatically, since advertisements are designed to load once a user visits a site," Pi says. "It is likely that this was not limited to the Dailymotion website alone, since the infection was triggered from the advertising platform and not the website content itself."

Trend Micro says that the advertisements being served as part of this malvertising campaign now appear to be down. But pending a patch, Pi says users should consider disabling Flash Player.

Zero-Day Attacks

This marks the third zero-day Flash flaw to have been discovered in recent weeks (see Flash Targeted by Zero-Day Exploit). The bug reports have led some information security experts to question whether using the browser plug-in is worth the risk.

The three previous flaws have been patched via Flash updates. Users get those updates automatically if they have enabled "auto-update" in their Flash Player. Anyone using Google Chrome, Internet Explorer 10 or IE11 will also see a related update get automatically distributed, although only for that particular browser, meaning any desktop installations of Flash Player must also be updated.

Attackers, wise to the fact that zero-day vulnerability warnings often cause users to begin seeking out updates, regularly attempt to trick people into installing bogus Flash security updates. "Because malware authors will often employ misleading tactics to make malware look like something you should trust, it's important to get your Flash Player updates directly from Adobe," reads a Flash Q&A on Adobe's website.

Adobe estimates that by the end of 2015, more than 1 billion Internet-connected devices will run Flash, which is a multimedia and software platform that gets used to create vector graphics, animation, games and other so-called types of rich Internet applications. But Europol cybersecurity adviser Alan Woodward questions whether it's wise to use Flash, given the spate of critical flaws that have been putting end users and enterprises at risk.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.