Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Flash Player Zero-Day Exploited in Attack Campaign

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

The bug, CVE-2015-3113, is a heap buffer overflow issue. It was discovered by researchers at FireEye, who have linked it to attacks by the hacking crew APT3 that have targeted a number of industries, including the telecommunications, transportation and aerospace and defense sectors.

“Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks,” Adobe stated in its advisory. “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

According to FireEye, the attackers’ emails contained links to compromised web servers that served either benign content or a malicious Adobe Flash Player file exploiting the bug.

“Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts,” FireEye researchers blogged. “Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.”

“The attack exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files,” the researchers explained. “The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.”

APT3 has been linked to the use of browser-based zero-days in the past, and will typically dump credentials and move laterally across a compromised network to hit additional victims, the FireEye researchers added.

“Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack,” said Clinton Karr, senior security strategist at Bromium. “Or test the patch to make sure it integrates with legacy systems. This latest zero-day and others before it could have been isolated in the first place. Only by isolating the threat are security and ops teams granted the grace period needed to test and deploy these critical patches.”

Advertisement. Scroll to continue reading.

“The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP,” blogged Qualys CTO Wolfgang Kandek. “Patch as quickly as possible. 0-days once discovered this way tend to spread quickly to other cyber criminal groups. Adobe mentions that all known targets seem to use Windows 7 and Internet Explorer and Firefox on Windows XP, but we don’t recommend holding back on patching even if you are running other configurations (hopefully not XP, though). Users of IE10/11 and Google Chrome will get their patches through their browsers directly, everybody else will need to download directly from Adobe.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.