Adobe Flash Player Zero Day Exploit

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

Adobe Flash Player Zero Day Exploit

Please follow and like us:

This is a security alert for all TruShield clients and the community at large. TruShield has learned of an Adobe Flash Player zero-day exploit that has been used by a well-known exploit kit.

Overview

Within the last week, Adobe released an advisory for a Flash zero-day exploit known as CVE-2016-1019. Due in large part to the nature of Flash Player, this vulnerability is present on multiple major Operating Systems including Windows, Linux, Mac OS, and even Chrome OS. This presents a large scope of systems with the possibility of exploitation. Even more alarming, this zero-day has already been spotted in attacks coupled with the Magnitude Exploit Kit. The Magnitude EK has largely been tied to ransomware infections, with strains such as Locky and Cerber. Researchers at Malwarebytes have pointed to several recent malvertising campaigns that employed this exploit kit. This also comes on the heels of a timely joint ransomware advisory released by the U.S. and Canada.

Operation

As explained by Trend Micro, the exploit primarily involves type confusion by a section of code responsible for type checking. In terms of the affected versions of Flash Player, the exploit is meant for versions earlier than 21.0.0.182. It is worth noting that from the mentioned version onward, Adobe used a heap related mitigation technique. The result is that when the exploit is run against these newer versions, the only adverse effect is the program will crash. On the earlier versions however, this exploit appears to allow arbitrary memory read/write, which for the purposes of an attacker, means the ability to execute malicious code and thwart security controls, like non-administrative privileges.

Compounding Compromise

While zero day vulnerabilities can be the lurking wildcards in an otherwise secure environment, there are several takeaways from the case at hand. One is the importance of patching software, especially hot targets like Adobe products. An unpatched instance can easily represent a single point of failure even when additional controls are in place. Another important item to note is that this zero-day was utilized by exploit kits tied to ransomware that has run rampant in 2016. This combining of tactics will be an important trend to monitor moving forward since ransomware has quickly become a popular source of revenue for cybercriminals.

Indicators of Compromise

SHA 1 Hash
C4b156b60f8e9e931a638923711c884f9a5951dd
SHA 256 Hashes
0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5
7f31af42154cfc3609ca8e7b185a43c9a1d9704e6faf56b2928e32d5190592f0
32557944d18cc3b3d80de1597b74dc505297751d9440e4a9d8064cf329dd7141
f7c5a855dd17ac50c8de364117a96ab711daa5c723d471c19a92bf5b9e5bd2ae

 

Mitigation and Prevention (for vulnerability and payloads)

  • Keep systems patched with the latest updates.
  • Consider disabling or removing Flash Player.
  • Use updated antimalware and antivirus products.
  • Keep regular backups both on and off-site.
  • Do not open unknown files and compare with known IOCs.
  • Use application control software with a base deny policy on executables.
  • Use GPO settings to disable all macros in office applications.
  • Use administrative or elevated privileges carefully.
  • Isolate infected systems from the network and storage devices.
  • Monitor systems for registry or file changes.
  • Continuously monitor network traffic for C&C communication.

References

http://www.symantec.com/connect/blogs/new-flash-zero-day-exploited-attackers-wild

http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-1019-zero-day-integrated-in-exploit-kit/

http://blog.trendmicro.com/trendlabs-security-intelligence/look-adobe-flash-player-cve-2016-1019-zero-day-vulnerability/

https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016/04/botched-flash-0day-gets-patched/

https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg

 

Download the PDF Version

Leave a reply

Copyright © 2017