Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flash Player Flaw Used by APT3 Group Added to Magnitude Exploit Kit

An exploit for a Flash Player vulnerability patched by Adobe last week with the release of version 18.0.0.194 has been integrated into the Magnitude exploit kit.

An exploit for a Flash Player vulnerability patched by Adobe last week with the release of version 18.0.0.194 has been integrated into the Magnitude exploit kit.

The existence of the heap buffer overflow vulnerability (CVE-2015-3113) that can be exploited for arbitrary code execution was brought to light by FireEye. The security firm discovered that the flaw has been leveraged by the China-based attack group known as APT3 (UPS) in a large-scale phishing campaign aimed at organizations in the aerospace and defense, construction and engineering, telecommunications, high-tech, and transportation industries.

The security hole, which according to Trend Micro is similar to a previously discovered bug (CVE-2015-3043), exists due to the way Adobe Flash Player parses Flash Video (FLV) files.

Four days after Adobe patched the vulnerability, the French security researcher “Kafeine” noticed that an exploit for the bug had been included in the Magnitude exploit kit. The expert reported on Sunday that cybercriminals have been using the exploit to deliver the Cryptowall ransomware.

Jérôme Segura, senior security researcher at Malwarebytes, believes the exploit for CVE-2015-3113 will be added to other kits “very soon.” However, Kafeine told SecurityWeek that he had not seen the exploit in any other kits as of June 29, 4:00 AM EST.

It’s not uncommon for cybercriminals to start exploiting Flash Player vulnerabilities in their operations shortly after they are patched by Adobe. In late May, an exploit for a Flash Player bug fixed by Adobe on May 11 was added to the Angler exploit kit. A few days later, experts noticed that exploits for the same bug had been added to the Magnitude, Neutrino, and Nuclear Pack kits.

Experts told SecurityWeek that in many cases malicious actors develop these exploits by reverse engineering the patches. In the case of zero-day flaws, the exploit kit teams either have skilled members who develop the exploits themselves, or they have the funds to acquire them from the black market, said malware analyst Yonathan Klijnsma.

The authors of different exploit kits are usually in direct competition so they don’t share exploits. However, it’s not uncommon for them to reverse engineer the exploits created by other teams.

“Once a new exploit has been introduced in one kit, it’s pretty easy for others to copy it,” Timo Hirvonen, senior researcher at F-Secure, told SecurityWeek earlier this month. “Some criminals might be behind several exploit kits, just like Paunch was behind Blackhole and Cool, and they may use the same exploit in all their kits.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.