Adobe last week issued an emergency security patch to fix a vulnerability in Flash that could leave users vulnerable to a ransomware attack.
The vulnerability exists in Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh, Linux and Chrome operating systems. It can cause a crash and leave the computer vulnerable to attackers, the company said.
It’s aware of reports that CVE 2016-1019 has been exploited on systems running Windows 10 and earlier with Flash version 188.8.131.526 and earlier, Adobe said. A patch introduced in Flash Player 184.108.40.206, however, prevents exploitation.
Targets Older Versions
Researchers atProofpoint discovered the vulnerability earlier this month, when they realized the Magnitude exploit kit was successfully exploiting Adobe Flash version 220.127.116.116.
“The attack was found in what is called an exploit kit, which is a cybercrime tool typically sold on underground forums. Exploit kits are malicious software packages that hide on websites and take advantage of vulnerabilities in Web browsers and plug-ins in order to deliver malware, in this case ransomware,” said Ryan Kalember, senior VP of cybersecurity strategy at ProofPoint.
Since the Magnitude EK was not affecting Flash 18.104.22.168, the researchers initially thought the target was CVE-2016-1001 as in Angler, the combination exploit CVE-2016-0998/CVE-2016-0984 or CVE-2016-1010.
“If a victim lands on a webpage and has Flash, the malware would be quietly installed, even without the user clicking on anything,” Kalember told the E-Commerce Times.
Researchers shared their findings with other companies, and a colleague atFireEye figured out that it was a previously unknown vulnerability, according to Proofpoint. The companies contacted Adobe, which, working with the researchers, determined that the mitigation that was integrated into 22.214.171.124 caused the exploit to fail.
The problem was a previously unreported vulnerability and assigned the number CVE-2016-1019. Adobe released the emergency patch last week.
“Adobe is a big target simply because Flash is so widely used — Adobe has said it is on over a billion devices,” Kalember noted.
A Proofpoint researcher named Kafeine shared the vulnerability with FireEye, which did analysis and testing to determine the status of the previously unknown vulnerability, a FireEye spokesperson confirmed. The companies worked together to help Adobe send out a quick release of a fix.
“Given the rise in ransomware attacks in recent months, it is most important to note that unlike most exploit kits using known vulnerabilities, this zero-day vulnerability was being used to distribute ransomware at the time of analysis,” FireEye said in a statement provided to the E-Commerce Times by company rep Kyrk Storer.
Magnitude seemed to be used by only one actor in recent months, spreading Cryptowall crypt 1001 until the middle of March, Proofpoint researchers noted. However, the actor then switched to Teslacrypt ID=39 and later to Cerber.
“The Cerber ransomware encrypts documents, photos, databases and other common file types,” Proofpoint’s Kalember said. “Victims see a ransom demand directly on their PCs.”
Symantec last year published a broad overview of ransomware, a relatively new form of malware that is akin to cyberextortion, in which attackers take control of the victim’s computer and often demand payment or some other form of compensation in order to release the exploited system.
The U.S. led the countries victimized by ransomware attacks in 2015, followed by Japan, the U.K., Italy, Germany and Russia, according to Symantec. The average payment demanded was US$300.
“Organizations of all sizes are being targeted, with broad-based email campaigns — sometimes over 10 million messages in a day — malicious Web advertisements, and even malicious mobile apps,” Kalember said.
“In general, ransomware targets Windows more often than other operating systems, but recent examples of ransomware have been found up for Mac OS X, which was taken down immediately, and Android,” he said.
Defense in Depth
Researchers atTrend Micro saw a zero-day attack being included in the code of Magnitude Exploit Kit through its protection network feedback, they said. That type of activity leads to Locky ransomware, a form of crypto ransomware that abuses macros in document files to hide the malicious code.
“What we’ve seen in this particular attack is that Adobe has made changes to ensure this did not impact those who are using the most up-to-date version of their product,” said Christopher Budd, global threat communications manager at Trend Micro.
“This underscores how defense-in-depth security measures are a good thing and can be very helpful in mitigating the impact of such attacks,” he told TechNewsWorld.
“Ransomware is on a major upswing over the past four to six months,” Proofpoint’s Kalember said, “so we’re likely right in the middle of the cybercrime cycle.”