Attacks/Breaches
2/2/2015
04:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

New Adobe Flash 0-Day Used In Malvertising Campaign

The latest in a series of recent Flash vulnerabilities and malvertising exploits that are hard for users to avoid.

Yet another critical zero-day vulnerability has been found in Adobe Flash -- the latest in a series of holes found over the past month. This one, CVE-2015-0313, is being exploited in malvertising attacks, according to researchers from Trend Micro.

The vulnerability affects the most recent version of Flash on Windows systems running Internet Explorer or Firefox. Adobe has indicated that a patch will be available this week.

The exploit -- named SWF_EXPLOIT.MJST by Trend Micro -- was found redirecting visitors from dailymotion.com to a malicious site, hxxp://www.retilio.com/skillt.swf. The compromised site has been visited at least 3,294 times, mostly by users based in the United States. The exploit was triggered via an advertising platform, so researchers expect that it was running on other sites, not just Daily Motion. It might be "executed via the Angler Exploit Kit, due to similarities in obfuscation techniques and infection chains."

The latest spate of Flash vulnerabilities is troubling because Flash is so hard to avoid.

"Adobe’s software is everywhere, second to only Microsoft," says Andy Manoske, senior product manager at AlienVault. "Flash is also extremely proliferate, with something like 20 percent penetration of all active websites on the Web, so there's an incredible amount of scrutiny because it's so popular. As such, we're likely to continue to find vulnerabilities as the security community (both in terms of security companies and adversaries) pick through Flash with a fine tooth comb.

Manoske says the other issue is that Flash is "architecturally complicated."

"It's not really a single platform so much as it's a zoo of different operating system clients that agree on a series of protocols and features. Complexity like this has a tendency to create issues due to things like implementation errors and race conditions, thereby creating the opportunity for exploitable vulnerabilities to be accidentally created and missed in [quality assurance]," he says.

Malvertising on the rise

Malvertising is also hard to avoid. Exploits are delivered via drive-by-download, not requiring user interaction. Ads are found on millions of websites, and are served by third-party ad platforms, not the site administrators. And the process of serving ads is largely open and automated; legitimate businesses and criminal enterprises alike sign up to ad bidding services anonymously.

"Malvertising provides an elegant means of accomplishing for attackers what online advertising accomplishes for brands and agencies: exposing your content to a large and increasingly targeted breadth of users," Manoske says. "As real-time bidding and other automated and readily anonymized means of purchasing ad inventory continue to trend throughout the ad industry, it's likely we're going to continue to see malvertising-enhanced drive by download attacks that exploit vulnerabilities in the typical technology stack for ads, including and especially within Flash."

Lately, malvertising attacks are everywhere, targeting everything from consumers to US defense contractors, committing everything from click fraud to information gathering. In October, Invincea reported its discovery of a malvertising campaign "micro-targeting" the defense industry. Invincea dubbed it "Operation DeathClick" and described as an APT.

And from October to December, Facebook extended a special offer to members of its bug bounty program, paying double for reports of ad-related threats.

"The proliferation of exploit kits like Angler only exacerbates this issue," says Manoske, "and I think similar discoveries such as Trend's findings in DailyMotion will force ad networks to ask their industry serious questions about content review processes given how common these attacks are becoming."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/4/2015 | 8:21:54 AM
Re: Security Measures
Thanks, that was very helpful. I am a huge Chrome afficionado and the Ad Blocker is definitely a major benefit. Not only from its security aspect but also its seamless integration into the browser. Another security benefit is it helps to mitigate noise. Through this means you will be more attune to handling an event when notified instead of dismissing it.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/3/2015 | 4:43:23 PM
Re: Security Measures
Some people have argued that going with ad blocking software is like going without a firewall.
jps-forums
100%
0%
jps-forums,
User Rank: Apprentice
2/3/2015 | 4:30:06 PM
Re: Security Measures
There's actually 4 simple (and free) steps home users can take to drastically reduce their risk.  I had to put spaces in the URLS to get this to post, so take that into account when reading the links I include

 

1. Take advantage of OpenDNS (opendns .com/home-internet-security/). This requires you to set your primary DNS on your home router/wireless to use their DNS IP's. They filter many malicious sites for you and you get a free ability to implement content filtering for your family as well.  This is probably slightly complicated for your basic home user (you have to get them into their home router config under the IP and/or DHCP options to set the DNS) but their instructions make it much easier. 

2. Install anti-exploit software. Malware-bytes Anti-exploit Free edition protects all the major browsers and doesn't rely on def updates. Stops APT's in their tracks. Su[per tiny light-weight. You'll never know it's even running (https://www. malwarebytes. org/antiexploit/). The paid version protects more but stopping the exploits via browser for free is dang good.

3. Install some type of automated patching software that covers OS and 3rd party without any or much interaction at all. Secunia PSI is free and does an amazing job with little or no user interaction. (secunia. com/vulnerability_scanning/personal/) 

4. Use Chrome as much as possible and install the free ADBLOCK extension that stops all (99.9%) of adds (really useful on this particular exploit...plus it makes browsing much faster without all that garbage and annoying ads in vidoes/sidebars etc  (getadblock. com/)

Having a standard antivirus product is a given, although it probably protects you 20% if you are lucky. If you have AV, try to pick one that has host-based IPS built in as well (Intrusion Prevention System). The 4 above probably cover you 75%. Leaving a tiny window of risk left.  Every friend and family I help (there's many) has yet to been compromised or get infected using the tips above.  Best of all it will cost you 0 dollars to do the 4 things above.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/3/2015 | 10:07:16 AM
Security Measures
Since, as the article denotes, it is very difficult to deny a malicious body the right to acquire digital ad space; are there any best practices in general for the user population to avoid this type of attack? For example, Ad-blockers, etc.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/3/2015 | 3:17:58 AM
Guess I need to install Google Ultron
O, to go two weeks without having to update Adobe Flash!  #firstworldproblems
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.