Flash Vulnerability Fixed, then Exploited

Monday, June 1, 2015 @ 10:06 AM gHale

Attackers were able to quickly figure out a way to exploit a vulnerability in Flash Player fixed by Adobe earlier in May.

Adobe fixed Flash Player on May 12, and last week exploit code added to the Angler exploit kit was available to bad guys.

Adobe Updates Flash Player
Windows, Flash Zero Days Targeted
Flash Bug Allows Secret Video, Audio
Adobe Updates Flash Player Vulnerabilities

The flaw used by the attackers is CVE-2015-3090, which is a memory corruption that leads to code execution on the affected machine. Security researchers at FireEye said the issue involves a race condition in the shader class.

Systems with unpatched versions of Flash receive the final payload via drive-by attacks, which are completely invisible to the user and occur when visiting a website containing code that redirects to a machine hosting the exploit kit.

The malicious code ends up planted on a website either via a direct hack or through an advertisement delivered by an ad network.

FireEye researchers found a malvertising operation leveraging CVE-2015-3090 to deliver the Bedep Trojan, a piece of malware used for click-fraud activities.

Once on the system, apart from Bedep, it also starts an infection cycle that ends with funneling in additional malware. It makes a large number of requests to rogue ad networks that redirect to malicious hosts that forward the connection to a server with an exploit kit.

“Requests to the rogue ad networks will have a specific Bedep referrer. From there, a wild maze of redirection takes place, bouncing the browser from domain to domain until the final destination is reached,” the researchers said in a blog post.

In the case of Angler, one of the redirects came from a fake news website with the string “news4news” in the domain name.

Researchers identified more than 220 IP addresses used for redirections by sub-domains with the “click2″ prefix.

FireEye said the trail of redirection and nefarious referrers all lead to the 199.212.255 network and the current operation is active. Users should update their Flash Player browser plugin.