Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Flash Player Zero-Day Exploited in Attack Campaign

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

The bug, CVE-2015-3113, is a heap buffer overflow issue. It was discovered by researchers at FireEye, who have linked it to attacks by the hacking crew APT3 that have targeted a number of industries, including the telecommunications, transportation and aerospace and defense sectors.

“Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks,” Adobe stated in its advisory. “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

According to FireEye, the attackers’ emails contained links to compromised web servers that served either benign content or a malicious Adobe Flash Player file exploiting the bug.

“Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts,” FireEye researchers blogged. “Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.”

“The attack exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files,” the researchers explained. “The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.”

APT3 has been linked to the use of browser-based zero-days in the past, and will typically dump credentials and move laterally across a compromised network to hit additional victims, the FireEye researchers added.

“Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack,” said Clinton Karr, senior security strategist at Bromium. “Or test the patch to make sure it integrates with legacy systems. This latest zero-day and others before it could have been isolated in the first place. Only by isolating the threat are security and ops teams granted the grace period needed to test and deploy these critical patches.”

“The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP,” blogged Qualys CTO Wolfgang Kandek. “Patch as quickly as possible. 0-days once discovered this way tend to spread quickly to other cyber criminal groups. Adobe mentions that all known targets seem to use Windows 7 and Internet Explorer and Firefox on Windows XP, but we don’t recommend holding back on patching even if you are running other configurations (hopefully not XP, though). Users of IE10/11 and Google Chrome will get their patches through their browsers directly, everybody else will need to download directly from Adobe.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.