Escape to Flash: Top 10 Vulnerabilities Used by Attackers

Recorded Future has analyzed over 100 exploit kits (exploit kits, ECs), examining the vulnerabilities targeted by these EKs. As it turned out, Adobe Flash Player is the software product that is cracked most often. There are quite a few vulnerabilities in Flash, and attackers quite often use these vulnerabilities for their own purposes.

From January 1, 2015 to September 30, 2015, Adobe Flash Player contains 8 of the 10 most known vulnerabilities exploited by cybercriminals. Other vulnerabilities relate to Microsoft Internet Explorer 10 and 11 (CVE-2015-2419), plus other Microsoft products, including Silverlight (CVE-2015-1671).

Exploit kits are a package of exploits for several programs (versions) at once and / or for different vulnerabilities in them. In the latest versions of bundles, an exploit is selected specifically for a specific user program. In most cases, exploit kits are used in client-side attacks, when malicious code gets to the victim through a browser, and then it is executed. The main set of exploits in bundles is aimed specifically at vulnerabilities in browsers, Java, Flash, and PDF.

Often, kits are used as a service, when the client provides software that must be downloaded to the victim’s PC or server, and the owner of the "service" tries to install this software on the maximum number of machines. At the same time, the client pays for each successful installation.

Software gets to users' computers in various ways, including compromised web pages. Understanding which vulnerabilities exploited by cybercriminals helps to better protect against hacking.

Angler Exploit Kit

Angler is one of the most popular and well-known exploit kits, with its help the most successful cryptographic ransomware distribution campaigns were carried out. It first appeared in 2013, and quickly became popular due to its ability to go unnoticed by an overwhelming number of antivirus products. Angler helps distribute software such as Cryptowall, AlphaCrypt, Necurs, and Bedep.



In October, Cisco discovered a large number of proxies related to Angler. The network Cisco discovered was responsible for 50% of the exploit whale’s activity. Infrastructure infected about 90 thousand systems per day, and brought its creators about $ 30 million per year.

Methodology

Recorded Future has analyzed thousands of sources across the Web, including .onion sites, cracker forums, and social media. In addition to Angler, the work of such popular exploit services as Neutrino, Nuclear Pack was also studied.

The company did not reverse engineer the software mentioned, instead, it studied available information from information security blogs, blog posts, etc.

results

Using these methods, the company was able to determine the most popular vulnerabilities among attackers. As mentioned above, most are for Adobe Flash Player.



The most common CVE vulnerability 2015-0313 - uses Flash Player 16.0.0.296, it was identified by Adobe as critical and was fixed in February 2015. This vulnerability is contained in the database of Hanjuan, Angler and Fiesta EKs.



A few more vulnerabilities (CVE-2015-5119, CVE-2015-5122) were immediately added by the EK authors immediately after these problems became known “thanks to the July 2015 Hacking Team leak .

Effects

Since the Adobe Flash Player package is multi-platform, plus everything in it there are a lot of vulnerabilities, it is very popular among crackers. In fact, there are so many “holes” in Adobe Flash Player that this product can hardly be called a safe operating environment.

Flash versions older than 19.0.0.226 cannot be run on Apple OS X.



It is clear that each organization and user must decide for themselves whether to use Flash in their work or not. But one thing can be said with certainty - if the package is already being used, it needs to be updated on time. Plus, it’s worth using “Click to Play” , which helps to test Flash in unfamiliar environments.