An exploit for a Flash Player vulnerability patched by Adobe last week with the release of version 18.0.0.194 has been integrated into the Magnitude exploit kit.
The existence of the heap buffer overflow vulnerability (CVE-2015-3113) that can be exploited for arbitrary code execution was brought to light by FireEye. The security firm discovered that the flaw has been leveraged by the China-based attack group known as APT3 (UPS) in a large-scale phishing campaign aimed at organizations in the aerospace and defense, construction and engineering, telecommunications, high-tech, and transportation industries.
The security hole, which according to Trend Micro is similar to a previously discovered bug (CVE-2015-3043), exists due to the way Adobe Flash Player parses Flash Video (FLV) files.
Four days after Adobe patched the vulnerability, the French security researcher “Kafeine” noticed that an exploit for the bug had been included in the Magnitude exploit kit. The expert reported on Sunday that cybercriminals have been using the exploit to deliver the Cryptowall ransomware.
Jérôme Segura, senior security researcher at Malwarebytes, believes the exploit for CVE-2015-3113 will be added to other kits “very soon.” However, Kafeine told SecurityWeek that he had not seen the exploit in any other kits as of June 29, 4:00 AM EST.
It’s not uncommon for cybercriminals to start exploiting Flash Player vulnerabilities in their operations shortly after they are patched by Adobe. In late May, an exploit for a Flash Player bug fixed by Adobe on May 11 was added to the Angler exploit kit. A few days later, experts noticed that exploits for the same bug had been added to the Magnitude, Neutrino, and Nuclear Pack kits.
Experts told SecurityWeek that in many cases malicious actors develop these exploits by reverse engineering the patches. In the case of zero-day flaws, the exploit kit teams either have skilled members who develop the exploits themselves, or they have the funds to acquire them from the black market, said malware analyst Yonathan Klijnsma.
The authors of different exploit kits are usually in direct competition so they don’t share exploits. However, it’s not uncommon for them to reverse engineer the exploits created by other teams.
“Once a new exploit has been introduced in one kit, it’s pretty easy for others to copy it,” Timo Hirvonen, senior researcher at F-Secure, told SecurityWeek earlier this month. “Some criminals might be behind several exploit kits, just like Paunch was behind Blackhole and Cool, and they may use the same exploit in all their kits.”