Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Exploit Kits Target Recent Flash, Internet Explorer Zero-Days

Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.

Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.

The first of the flaws is CVE-2018-4878, a security bug in Adobe’s Flash Player discovered in late January, when it was exploited by a North Korean hacker group in attacks aimed at individuals in South Korea. Adobe released a patch within a week after the bug became public, but it continued to be targeted in numerous other attacks.

The second is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows, and which was addressed with the May 2018 Patch Tuesday updates. The bug is an update to a 2-year-old VBScript vulnerability (CVE-2016-0189) that continues to be abused in attacks.

The recently patched Flash Player zero-day tracked as CVE-2018-5002, which has been exploited in targeted attacks, has yet to be added to EKs.

“Since both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits,” Malwarebytes points out.

Within days after a proof of concept became publicly available, RIG adopted the exploit for the new VBScript engine flaw, becoming the first EK to do so. The toolkit also added an exploit for said Flash bug, and was observed pushing payloads such as Bunitu, Ursnif, and the SmokeLoader backdoor.

Magnitude continues to focus on South Korea and is now targeting both CVE-2018-4878 and CVE-2018-8174. The toolkit is considered one of the most sophisticated EKs on the market, courtesy of its own Magnigate filtering, a Base64-encoded landing page, and fileless payload.

Another active EK is GreenFlash Sundown. Rather elusive in nature, it “continues to strike via compromised OpenX ad servers” and now targets CVE-2018-4878 too. Usually delivering the Hermes ransomware, it was recently observed serving a cryptocurrency miner.

Advertisement. Scroll to continue reading.

The GrandSoft EK, which only targets Internet Explorer and also appears in smaller distribution campaigns, is still relying on the older CVE-2016 -0189 Internet Explorer exploit. Lacking the obfuscation EK landing pages usually feature, the toolkit was observed delivering payloads such as the AZORult stealer.

“There is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office–related exploits, we are observing a cascading effect into exploit kits,” Malwarebytes concludes.

Related: Microsoft Patches Two Windows Zero-Day Vulnerabilities

Related: Watering Hole Attack Exploits North Korea’s Flash Flaw

Related: Adobe Patches Flash Zero-Day Exploited in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...