The exploits for a zero-day vulnerability in Adobe Flash Player are being distributed in two exploit kits. At the same time, the zero day was patched by Adobe in an emergency update released last night.
To infect users with Locky or Cerber ransomware, cyber criminals use the previously unpatched flaw in the maligned Flash Player.
Locky ransomware is a recently-found crypto-ransomware strain, usually distributed via spam email attachments convincing victims to enable macros in Word documents which download the malware onto computers.
Cerber ransomware is crypto-ransomware too, however, it includes a feature where the infected machine will speak to the victim.
Using the exploit kits to move ransomware is not an innovation, however, it does escalate the distribution of Locky ransomware, which is considered as the heart of a number of high-profile compromises in the health care industry.
According to the Proofpoint researchers, the zero day has been folded into both the Nuclear and Magnitude exploit kits, with Nuclear infections pushing Locky and Magnitude spreading Cerber.
Kevin Epstein, vice president of Proofpoint’s threat operations center, claims that the zero day vulnerability affects all versions of Flash Player on Windows 10 and earlier. The latest update patched two dozen vulnerabilities, including the zero day. Most of the flaws were memory corruption bugs, as well as use-after-free, type-confusion and stack-overflaws, alongside the security bypass vulnerability.
According to Epstein, despite having hundreds of millions of potential targets at their disposal with the zero day, the hackers have limited this particular exploit to older versions of Flash Player.
“The interesting thing about this distribution of the exploit is that the attackers don’t appear to have taken full advantage of the exploit,” Epstein said. “It’s not clear if they fully understood what they had. It is a zero day, but within this exploit kit, it’s only targeting earlier versions of Flash. They’ve self-limited their target audience, and it’s not clear why.”
Though, the exploit has been aggressively distributed, and for some time. Epstein said that unlike Nuclear, which has been pushing Locky using this exploit since March 31, the Magnitude distribution of Cerber ransomware was found only in the last 72 hours.
According to the Proofpoint experts, the scale of these attacks has the potential to be massive. Despite the fact that Nuclear and Magnitude are not as prevalent on the scale of the Angler EK, they are effective and popular choices on the black market. Combined with previous distributions of Locky in a number of spam campaigns, some of them reaching multimillions of email messages a day and this is the potential for longstanding trouble.
A couple of days ago, Adobe said that an exploit could crash a system and let hackers execute arbitrary code on a compromised machine. Also, Adobe added that a mitigation introduced on March 10 in Flash 18.104.22.168 protects users against attack, which users are urged to update immediately. In addition, Adobe said that active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 22.214.171.1246 and earlier.
“The nature of vulnerability allows the attackers to execute arbitrary code on your machine; in this case, the Flash exploit is assisting the attacker to write arbitrary instructions to a point in memory,” Epstein said. “That set of instructions in this case downloads the ransomware and executes it.”
According to Epstein, the exploit is checking only for older versions of Flash Player, even though all versions prior to today’s update are vulnerable.
“Ransomware, we suspect because of the macro economic ROI is something that’s going to be a growing problem,” Epstein added. “It’s here to stay a while.”