Tuesday 30 June 2015

Cybercriminals exploit Flash zero-day flaw

Last Tuesday Adobe Systems released a patch for the Flash Player vulnerability, CVE-2015-3113.  However just four days later a malware researcher, who goes by Kafeine, spotted the Magnitude exploit kit being used for a drive-by download attack, exploiting the vulnerability. 

The Common Vulnerabilities and Exposures database tracked the flaw known as CVE-2015-3113.  It turns out that CVE-2015-3113 had zero-day status and had been targeted for several weeks by a China-based cyberespionage group prior to the patch being released.  These attacks were targeted against organisations in a broad range of industries from aerospace, defence and technology to construction, transportation, engineering and telecommunications. 

The goal of the exploiters is to compromise sophisticated defence systems and to remain undetected for as long as possible.  For this reason it is not uncommon for Flash Player and other popular applications to be targeted in zero-day exploits. 

Despite this, incidents of non-selective, widespread attacks using zero-day exploits are uncommon; predominantly due to the value of zero-day vulnerabilities to the attackers.  Financially it is not sensible for such brash campaigns to be used as this draws attention to the vulnerability and makes it more likely for it to be discovered and patched quickly. 

Instead the exploiters usually prefer to integrate their exploits into already patched vulnerabilities, working on the principle that many users will not install patches speedily enough.  The creators of these exploit kits, however, are dramatically reducing the time they need to incorporate the attack.  As such, users are being left with a much shorter time frame to deploy the patch in before the exploits are integrated.  In the case of the CVE-2015-3113 vulnerability this was only 4 days.  This causes issues in organisations who typically install updates in schedules often separated by more than a week. 

Another Flash Player exploit occurred earlier this year by the Nuclear EK exploit kit.  This was integrated a mere week after the patch was released.  A decreasing trend in patch window size is emerging. 


Currently the Magnitude attacks on the CVE-2015-3113 vulnerability install the Cryptowall ransomware, if successful.  This could be changed at any time by the attackers.  
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)