• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player

Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player

  • Posted on:April 7, 2016 at 6:00 pm
  • Posted in:Malware, Vulnerabilities
  • Author:
    Trend Micro
1

By Peter Pi, Brooks Li and Joseph C. Chen

Following their security advisory last April 5, 2016, Adobe has released an out of band patch today for the vulnerability CVE-2016-1019, which affects Adobe Flash Player.  Trend Micro has observed active zero day attacks from the Magnitude Exploit Kit affecting users of Flash 20.0.0.306 and earlier. These attacks are not effective against users of Flash versions 21.0.0.182 and 21.0.0.197. This is because of a heap mitigation that Adobe introduced in version 21.0.0.182 and is also present in version 21.0.0.197. Users of these versions will only experience a crash in Adobe Flash when attacks attempt to exploit the vulnerability.

All users are highly recommended to immediately update their systems with the latest security fix as this is actively being exploited in the wild. Prior to today’s security fix, we observed the exploit kit already integrating this vulnerability in its arsenal, which leaves systems infected with ransomware.

Based on our analysis, CVE-2016-1019 is a type confusion vulnerability; and while the exploit works on Flash 20.0.0.306 and earlier versions, it will only cause a crash and the exploit will not run on Flash versions 21.0.0.182 and 21.0.0.197 respectively. Adobe has introduced the heap mitigation from 21.0.0.182.

 

CVE20161019_fig1

Figure 1. Malicious domains hosting the Magnitude Exploit Kit 

 

Magnitude integrated Adobe Flash zero-day attack; leaves systems infected with Locky ransomware

As early as March 31, 2016, we saw a zero-day attack during this time being included in the code of Magnitude Exploit Kit via our Trend Micro™ Smart Protection Network™ feedback. This then leads to Locky ransomware, a crypto-ransomware that abuses macros in document files to hide its malicious code.  This malware reportedly hit the systems of the Methodist Hospital in Kentucky, USA.

magnitude_CVE20161019

Figure 2. Global distribution of Magnitude Exploit Kit traffic (March 31-April 6, 2016)

 Security solutions against Adobe Flash zero-day attacks

The attackers behind the Magnitude exploit kit are quick to include this security bug in their list of targeted vulnerabilities. We advise users to update their systems to the latest version of Adobe Flash Player.

Trend Micro protects systems from the risks posed by zero-day attacks via our wide arrayed of solution technologies. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks browser exploits once the user accesses the URLs these are hosted at.

Our Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.

Trend Micro Deep Security and Vulnerability Protection defend systems from threats that may leverage these vulnerabilities via the following DPI rules:

  • 1007572 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2016-1019)

TippingPoint customers will be protected from attacks exploiting this vulnerability with the following MainlineDV filter that will be made avail on April 12:

  • 24253: HTTP: Adobe Flash FileReference Type Confusion Vulnerability

We would like to acknowledge Kafeine for working with us to protect our customers.

Updated on April 7, 2016, 10:17 PM (UTC-7)

We updated this entry to revise the malware distributed by Magnitude Exploit Kit.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Adobe zero-day exploitcrypto-ransomwareCVE-2016-1019

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.