14 DAY TRIAL // Less than a week after Adobe rolled out a patch for a zero-day vulnerability in Flash Player that was exploited in the wild by a cyber-espionage group, malware researchers found it was leveraged by cybercriminals for purely financial purposes, infecting computers with CryptoWall ransomware.
The latest version of Flash Player, 18.0.0.194, which is available since June 23, is the result of an emergency update that fixes a heap buffer overflow (CVE-2015-3113).
Vulnerability used by spies is now employed by cybercriminals
Security researchers at FireEye reported the glitch to the developer and found that Chinese threat actor APT3 was already taking advantage of it to spy on organizations in multiple sectors: aerospace and defense, construction and engineering, high tech, telecommunications and transportation.
Interestingly, only four days after the public patch, independent security researcher Kafeine spotted the exploit in a cybercriminal browser-based attack tool called Magnitude exploit kit.
In a blog post on Sunday, Kafeine explained that Magnitude’s final payload was the infamous CryptoWall ransomware, and that malicious SWF and FLV files were used in the process.
In a separate analysis, Jerome Segura of Malwarebytes confirmed the use of a “booby trapped SWF, followed by a malicious FLV (Flash Video) file.”
Audio codec problem at the root of two vulnerabilities
It is unclear how the cybercriminals managed to develop an exploit for CVE-2015-3113 this fast, but such quick undertaking was recorded in the past with other Flash vulnerabilities.
In this case, it appears that the ground for creating the malicious code was already laid by another security flaw, CVE-2015-3043, repaired by Adobe in April, which was also being leveraged in the wild at the time the patch was released.
Both of them are heap overflow flaws and touch on how Flash Player processes audio data using the Nellymoser codec, explains Peter Pi, threat analyst at Trend Micro, adding that triggering them requires the modification of the FLV file’s audio tag.
The result of his analysis was that the two issues had the same cause and the patch for CVE-2015-3043 in April was not sufficient to plug the hole completely, allowing re-exploitation.
Referring to the same root cause for the two flaws, Segura says that Flash Player is “a hacker’s favorite due to its huge user base and reusable security flaws. Indeed, attackers have the advantage as they can refactor an exploit to bypass a previous patch that didn’t completely address an insecure or complex coding implementation.”