Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Flash Player Zero-Day Exploited in Attack Campaign

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

The bug, CVE-2015-3113, is a heap buffer overflow issue. It was discovered by researchers at FireEye, who have linked it to attacks by the hacking crew APT3 that have targeted a number of industries, including the telecommunications, transportation and aerospace and defense sectors.

“Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks,” Adobe stated in its advisory. “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

According to FireEye, the attackers’ emails contained links to compromised web servers that served either benign content or a malicious Adobe Flash Player file exploiting the bug.

“Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts,” FireEye researchers blogged. “Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.”

“The attack exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files,” the researchers explained. “The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.”

APT3 has been linked to the use of browser-based zero-days in the past, and will typically dump credentials and move laterally across a compromised network to hit additional victims, the FireEye researchers added.

“Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack,” said Clinton Karr, senior security strategist at Bromium. “Or test the patch to make sure it integrates with legacy systems. This latest zero-day and others before it could have been isolated in the first place. Only by isolating the threat are security and ops teams granted the grace period needed to test and deploy these critical patches.”

Advertisement. Scroll to continue reading.

“The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP,” blogged Qualys CTO Wolfgang Kandek. “Patch as quickly as possible. 0-days once discovered this way tend to spread quickly to other cyber criminal groups. Adobe mentions that all known targets seem to use Windows 7 and Internet Explorer and Firefox on Windows XP, but we don’t recommend holding back on patching even if you are running other configurations (hopefully not XP, though). Users of IE10/11 and Google Chrome will get their patches through their browsers directly, everybody else will need to download directly from Adobe.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.