Feedback from the Trend Micro™ Smart Protection Network™ has allowed us to learn that the Angler Exploit Kit and Nuclear Exploit Pack have been updated to include the recent Hacking Team Flash zero-day. In addition, Kafeine said, Neutrino Exploit Kit also has included this zero-day.
The existence of this particular vulnerability was just leaked from Hacking Team; Adobe has confirmed this vulnerability and released an advisory. This advisory also confirms that this flaw has been assigned a CVE number, CVE-2015-5119. Adobe’s bulletin also confirms that all versions of Flash Player in use today are potentially vulnerable.
All Flash Player users are at risk until they can download the patch. It is expected that a patch will be delivered by Adobe sometime on July 8. We noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that pattern shows no sign of changing soon.
Figure 1. Angler exploit kit HTTP GET header
Figure 2. Nuclear exploit kit HTTP GET header
We have identified one of the payloads being spread in this manner as CryptoWall 3.0, particularly by the Angler exploit kit.
Figure 3. Cryptowall ransom page
Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention detects exploits that target browsers or related plugins.
Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:
- 1006824 – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability
The SHA1 hashes of the malicious Adobe Flash exploits are:
Update as of July 8, 2015, 7:00 PM PDT (UTC – 7)
Adobe has released a fix for the Flash zero-day vulnerability. Information about this update has been released in APSB15-16. We recommend that users apply this update as soon as possible.
Update as of July 9, 2015, 2:56 AM PDT (UTC – 7)
Upon further investigation of feedback from the Trend Micro™ Smart Protection Network™, we found that the Magnitude Exploit kit now includes CVE-2015-5119 to its exploits. This leads to the infection of TROJ_CRYPWALL.XXTXM in the end.
Timeline of posts related to the Hacking Team
|July 5||The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.|
Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.
The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.
|July 11||Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.|
|July 13||Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.|
|July 14||A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.|
|July 16||On the mobile front, a fake news app designed to bypass Google Play was discovered.|
|July 20||A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.|
|July 21||Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.|
|July 28||A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team.|