Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Exploit Kits Target Recent Flash, Internet Explorer Zero-Days

Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.

Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.

The first of the flaws is CVE-2018-4878, a security bug in Adobe’s Flash Player discovered in late January, when it was exploited by a North Korean hacker group in attacks aimed at individuals in South Korea. Adobe released a patch within a week after the bug became public, but it continued to be targeted in numerous other attacks.

The second is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows, and which was addressed with the May 2018 Patch Tuesday updates. The bug is an update to a 2-year-old VBScript vulnerability (CVE-2016-0189) that continues to be abused in attacks.

The recently patched Flash Player zero-day tracked as CVE-2018-5002, which has been exploited in targeted attacks, has yet to be added to EKs.

“Since both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits,” Malwarebytes points out.

Within days after a proof of concept became publicly available, RIG adopted the exploit for the new VBScript engine flaw, becoming the first EK to do so. The toolkit also added an exploit for said Flash bug, and was observed pushing payloads such as Bunitu, Ursnif, and the SmokeLoader backdoor.

Magnitude continues to focus on South Korea and is now targeting both CVE-2018-4878 and CVE-2018-8174. The toolkit is considered one of the most sophisticated EKs on the market, courtesy of its own Magnigate filtering, a Base64-encoded landing page, and fileless payload.

Another active EK is GreenFlash Sundown. Rather elusive in nature, it “continues to strike via compromised OpenX ad servers” and now targets CVE-2018-4878 too. Usually delivering the Hermes ransomware, it was recently observed serving a cryptocurrency miner.

Advertisement. Scroll to continue reading.

The GrandSoft EK, which only targets Internet Explorer and also appears in smaller distribution campaigns, is still relying on the older CVE-2016 -0189 Internet Explorer exploit. Lacking the obfuscation EK landing pages usually feature, the toolkit was observed delivering payloads such as the AZORult stealer.

“There is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office–related exploits, we are observing a cascading effect into exploit kits,” Malwarebytes concludes.

Related: Microsoft Patches Two Windows Zero-Day Vulnerabilities

Related: Watering Hole Attack Exploits North Korea’s Flash Flaw

Related: Adobe Patches Flash Zero-Day Exploited in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.