MadAdsMedia, a US-based web advertising network, was compromised by cybercriminals to lead the visitors of sites that use their advertising platform to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Up to 12,500 users per day may have been affected by this threat; three countries account for more than half of the hits: Japan, the United States, and Australia.
Figure 1. This attack was first seen in April, although at relatively low traffic levels. The number of users at risk grew significantly as May started, with the peak of 12,500 daily affected users reached on May 2.
The Flash exploits in use are targeting CVE-2015-0359, a vulnerability that was patched only in April of this year. Some users may still be running older versions of Flash and thus be at risk. The Flash exploits are being delivered by the Nuclear Exploit Kit, a kit that has been constantly updated to add new Flash exploits and has been tied to crypto-ransomware.
Solutions and best practices
Attacks like these highlight the importance for ad networks to keep their infrastructure secure from attacks. Making sure that web servers and applications are secure will help ensure the protection of the business and their customers.
End users, on the other hand, are advised to keep popular web plugins up to date. Users with the latest versions of Adobe Flash would not have been at risk. Monthly Adobe updates are released at approximately the same time as Patch Tuesday (the second Tuesday of each month); this would be a good time for users to perform what is, in effect, preventive maintenance on their machines.
Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability. Trend Micro endpoint solutions additionally protect systems against malware and related attacks.
Additional analysis by Brooks Li
Update as of May 8, 2015, 11:45 PM PDT
As of this writing, the affected URL is no longer connecting to the Nuclear Exploit Kit.
Update as of May 8, 2015, 12:15 PM PDT:
A representative from MadAdsMedia shared their official comment with us regarding this report:
We launched an investigation shortly after noticing suspicious activity in our network. Soon after, we were contacted by Trend Micro; the details from their research played a crucial role in our efforts to eliminate this threat. We provided Trend Micro’s information to our hosting company, GigeNET.com, and they swiftly took action. Within hours, GigeNET identified the breach and simultaneously secured the network. We thank both Trend Micro and GigeNET for their efforts in protecting our users.
Update as of May 11, 2015, 7:29 PM PDT
The final payload initially detected as TROJ_CARBERP.YVA is now detected as BKDR_CARBERP.YVA to reflect results of further analysis.
Update as of May 15, 2015, 11:32 AM PDT
The final payload initially detected as BKDR_CARBERP.YVA is now detected as BKDR_GLUPTEBA.YVA.