Yesterday evening, Adobe published a security bulletin to announce the availability of a security update for it’s widely used Flash Player web browser plugin. The term “out of band” refers to the fact that this update was not issued according to Adobe’s usual schedule of issuing updates on the second Tuesday of the month.
This update resolves 1 high severity CVE which is currently being exploited by an Advanced Persistent Threat (APT) Group known as APT3. Such an exploit for a flaw that is exploited before it was patched by the vendor is known as a zero day vulnerability. The purpose of the malware being used in this attack is to gain as much access with a corporate network as possible and to install backdoors within those compromised systems (most likely for either further intelligence gathering or intellectual property theft).
The attack begins by the intended victims receiving phishing emails (interestingly these emails are more widespread in nature rather than targeted/customized spear phishing messages). The intended victims are based in large companies that work in varying industries e.g. transport, construction and aerospace (among others). Upon clicking the intended link within the messages, the victim is re-directed to a malicious website where they are profiled (in order to determine which exploit/attack to use to compromise the device visiting the site). A malicious Adobe Flash Player SWF (Small Web Format, formally Shockwave Flash) file and an FLV (Flash video) file are downloaded and are then used to deliver malware to the victim’s device (by exploiting the flaw Adobe has just patched). Full technical details including:
- How it bypasses operating system defences
- How the malware un-packs/de-obfuscates itself
- How it exploits a vulnerable version of Flash Player are provided by FireEye in this blog post.
Other points of interest for this exploit are that its payload is xor (Exclusive OR) encoded and packed using and packed using RC4 encryption. Since a custom encryption scheme was not used it may imply this exploit was developed quickly or the attackers were already confident of success/stealth and thus a more complex encryption scheme to disguise the malware was deemed unnecessary.
Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome and Internet Explorer 10 and 11 (installed on Windows 8.0 and 8.1) should receive updates very soon. Google may issue a component update simply to update Flash Player since it has just updated Chrome for security reasons earlier this week. Microsoft has announced the availability of their Flash update by updating this security advisory.
Update: 29th June 2015: According to the well-known malware researcher Kafeine, the Magnitude Exploit kit is now exploiting the flaw that Adobe patched just 4 days ago to install Cryptowall ransomware on the Windows devices that it compromises.
I would recommend that everyone who uses Adobe Flash Player to apply the appropriate updates as soon as possible in order to avoid this exploit affecting your devices.