Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/2/2015
04:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

New Adobe Flash 0-Day Used In Malvertising Campaign

The latest in a series of recent Flash vulnerabilities and malvertising exploits that are hard for users to avoid.

Yet another critical zero-day vulnerability has been found in Adobe Flash -- the latest in a series of holes found over the past month. This one, CVE-2015-0313, is being exploited in malvertising attacks, according to researchers from Trend Micro.

The vulnerability affects the most recent version of Flash on Windows systems running Internet Explorer or Firefox. Adobe has indicated that a patch will be available this week.

The exploit -- named SWF_EXPLOIT.MJST by Trend Micro -- was found redirecting visitors from dailymotion.com to a malicious site, hxxp://www.retilio.com/skillt.swf. The compromised site has been visited at least 3,294 times, mostly by users based in the United States. The exploit was triggered via an advertising platform, so researchers expect that it was running on other sites, not just Daily Motion. It might be "executed via the Angler Exploit Kit, due to similarities in obfuscation techniques and infection chains."

The latest spate of Flash vulnerabilities is troubling because Flash is so hard to avoid.

"Adobe’s software is everywhere, second to only Microsoft," says Andy Manoske, senior product manager at AlienVault. "Flash is also extremely proliferate, with something like 20 percent penetration of all active websites on the Web, so there's an incredible amount of scrutiny because it's so popular. As such, we're likely to continue to find vulnerabilities as the security community (both in terms of security companies and adversaries) pick through Flash with a fine tooth comb.

Manoske says the other issue is that Flash is "architecturally complicated."

"It's not really a single platform so much as it's a zoo of different operating system clients that agree on a series of protocols and features. Complexity like this has a tendency to create issues due to things like implementation errors and race conditions, thereby creating the opportunity for exploitable vulnerabilities to be accidentally created and missed in [quality assurance]," he says.

Malvertising on the rise

Malvertising is also hard to avoid. Exploits are delivered via drive-by-download, not requiring user interaction. Ads are found on millions of websites, and are served by third-party ad platforms, not the site administrators. And the process of serving ads is largely open and automated; legitimate businesses and criminal enterprises alike sign up to ad bidding services anonymously.

"Malvertising provides an elegant means of accomplishing for attackers what online advertising accomplishes for brands and agencies: exposing your content to a large and increasingly targeted breadth of users," Manoske says. "As real-time bidding and other automated and readily anonymized means of purchasing ad inventory continue to trend throughout the ad industry, it's likely we're going to continue to see malvertising-enhanced drive by download attacks that exploit vulnerabilities in the typical technology stack for ads, including and especially within Flash."

Lately, malvertising attacks are everywhere, targeting everything from consumers to US defense contractors, committing everything from click fraud to information gathering. In October, Invincea reported its discovery of a malvertising campaign "micro-targeting" the defense industry. Invincea dubbed it "Operation DeathClick" and described as an APT.

And from October to December, Facebook extended a special offer to members of its bug bounty program, paying double for reports of ad-related threats.

"The proliferation of exploit kits like Angler only exacerbates this issue," says Manoske, "and I think similar discoveries such as Trend's findings in DailyMotion will force ad networks to ask their industry serious questions about content review processes given how common these attacks are becoming."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/3/2015 | 3:17:58 AM
Guess I need to install Google Ultron
O, to go two weeks without having to update Adobe Flash!  #firstworldproblems
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/3/2015 | 10:07:16 AM
Security Measures
Since, as the article denotes, it is very difficult to deny a malicious body the right to acquire digital ad space; are there any best practices in general for the user population to avoid this type of attack? For example, Ad-blockers, etc.
jps-forums
100%
0%
jps-forums,
User Rank: Apprentice
2/3/2015 | 4:30:06 PM
Re: Security Measures
There's actually 4 simple (and free) steps home users can take to drastically reduce their risk.  I had to put spaces in the URLS to get this to post, so take that into account when reading the links I include

 

1. Take advantage of OpenDNS (opendns .com/home-internet-security/). This requires you to set your primary DNS on your home router/wireless to use their DNS IP's. They filter many malicious sites for you and you get a free ability to implement content filtering for your family as well.  This is probably slightly complicated for your basic home user (you have to get them into their home router config under the IP and/or DHCP options to set the DNS) but their instructions make it much easier. 

2. Install anti-exploit software. Malware-bytes Anti-exploit Free edition protects all the major browsers and doesn't rely on def updates. Stops APT's in their tracks. Su[per tiny light-weight. You'll never know it's even running (https://www. malwarebytes. org/antiexploit/). The paid version protects more but stopping the exploits via browser for free is dang good.

3. Install some type of automated patching software that covers OS and 3rd party without any or much interaction at all. Secunia PSI is free and does an amazing job with little or no user interaction. (secunia. com/vulnerability_scanning/personal/) 

4. Use Chrome as much as possible and install the free ADBLOCK extension that stops all (99.9%) of adds (really useful on this particular exploit...plus it makes browsing much faster without all that garbage and annoying ads in vidoes/sidebars etc  (getadblock. com/)

Having a standard antivirus product is a given, although it probably protects you 20% if you are lucky. If you have AV, try to pick one that has host-based IPS built in as well (Intrusion Prevention System). The 4 above probably cover you 75%. Leaving a tiny window of risk left.  Every friend and family I help (there's many) has yet to been compromised or get infected using the tips above.  Best of all it will cost you 0 dollars to do the 4 things above.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/3/2015 | 4:43:23 PM
Re: Security Measures
Some people have argued that going with ad blocking software is like going without a firewall.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/4/2015 | 8:21:54 AM
Re: Security Measures
Thanks, that was very helpful. I am a huge Chrome afficionado and the Ad Blocker is definitely a major benefit. Not only from its security aspect but also its seamless integration into the browser. Another security benefit is it helps to mitigate noise. Through this means you will be more attune to handling an event when notified instead of dismissing it.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.