This is a security alert for all TruShield clients and the community at large. TruShield has learned of an Adobe Flash Player zero-day exploit that has been used by a well-known exploit kit.
Within the last week, Adobe released an advisory for a Flash zero-day exploit known as CVE-2016-1019. Due in large part to the nature of Flash Player, this vulnerability is present on multiple major Operating Systems including Windows, Linux, Mac OS, and even Chrome OS. This presents a large scope of systems with the possibility of exploitation. Even more alarming, this zero-day has already been spotted in attacks coupled with the Magnitude Exploit Kit. The Magnitude EK has largely been tied to ransomware infections, with strains such as Locky and Cerber. Researchers at Malwarebytes have pointed to several recent malvertising campaigns that employed this exploit kit. This also comes on the heels of a timely joint ransomware advisory released by the U.S. and Canada.
As explained by Trend Micro, the exploit primarily involves type confusion by a section of code responsible for type checking. In terms of the affected versions of Flash Player, the exploit is meant for versions earlier than 18.104.22.168. It is worth noting that from the mentioned version onward, Adobe used a heap related mitigation technique. The result is that when the exploit is run against these newer versions, the only adverse effect is the program will crash. On the earlier versions however, this exploit appears to allow arbitrary memory read/write, which for the purposes of an attacker, means the ability to execute malicious code and thwart security controls, like non-administrative privileges.
While zero day vulnerabilities can be the lurking wildcards in an otherwise secure environment, there are several takeaways from the case at hand. One is the importance of patching software, especially hot targets like Adobe products. An unpatched instance can easily represent a single point of failure even when additional controls are in place. Another important item to note is that this zero-day was utilized by exploit kits tied to ransomware that has run rampant in 2016. This combining of tactics will be an important trend to monitor moving forward since ransomware has quickly become a popular source of revenue for cybercriminals.
Indicators of Compromise
|SHA 1 Hash|
|SHA 256 Hashes|
Mitigation and Prevention (for vulnerability and payloads)
- Keep systems patched with the latest updates.
- Consider disabling or removing Flash Player.
- Use updated antimalware and antivirus products.
- Keep regular backups both on and off-site.
- Do not open unknown files and compare with known IOCs.
- Use application control software with a base deny policy on executables.
- Use GPO settings to disable all macros in office applications.
- Use administrative or elevated privileges carefully.
- Isolate infected systems from the network and storage devices.
- Monitor systems for registry or file changes.
- Continuously monitor network traffic for C&C communication.