Cisco: Flash exploits are soaring
For the first five months of 2015, the Common Vulnerabilities and Exposures project has reported 62 Adobe Flash Player vulnerabilities that resulted in code execution on user machines, Cisco says in its 2015 Midyear Security Report.
That’s more than the annual totals for any year back to 2001. The closest year was 2012 with 57 such vulnerabilities, but CVE still has seven more months to report on in 2015.
Cisco says Flash exploits are being rapidly integrated into widely used exploit kits such as Angler and Nuclear. Authors of the Angler and Nuclear kits included exploits of newly published vulnerabilities within days of them being publicly announced, the report says, and Flash upgrades by users lag.
The effectiveness of the exploits in these kits is enhanced by the fact that users are failing to install updates that patch the vulnerabilities in a timely manner, Cisco says. “It appears many users have difficulty staying on top of Adobe Flash updates and perhaps may not even be aware of some upgrades,” the report says.
+ ALSO ON NETWORK WORLD Jane Austen lets the boogie man in: Cisco report +
In addition to quickly jumping on new exploits, Angler has other features that boost its effectiveness, Cisco says, enough so that the report crowns Angler as the leader in exploit-kit sophistication and effectiveness.
That’s because the kit can identify which weaknesses victim machines have and downloads appropriate malicious payloads to exploit them, Cisco says. Angler’s success rate is 40% against devices that hit one of its landing pages. That compares to just 20% on average for all other exploit kits, the report says.
Angler uses domain shadowing to trick victims. This is the practice of compromising the accounts of legitimate domain-name registrants, then creating subdomain names in their accounts. They use the subdomains to point to Angler servers that host malicious landing pages.
Cisco says Angler is responsible for 75% of all known subdomain activity of this sort by exploit kit authors since last December. In addition, the actors behind Angler change the IP addresses of their malicious sites many times per day to avoid detection.
Often the malware they deliver is ransomware, such as Cryptowall that encrypts victim machines until the victims pay a sum to have them decrypted.
The Cisco report also says these exploit kits also deploy Dridex, a banking malware that relies on Microsoft Office vulnerabilities to wage malicious macro attacks. They typically go undetected long enough to be effective then cease after antivirus vendors publish signatures for them.
Corporate security pros need to be on the lookout for malware designed to evade detection and also damage the operating systems of the machines it infects if detection efforts become too persistent, the report says. It uses Rombertik as an example of such malware because it performs pointless operations while it is in security sandboxes in an effort to wait out analysis or to delay discovery.
Rombertik attempts to overwrite master boot records and if it fails, will destroy all files in users’ home folders. Should it go undetected, then it starts its primary function, stealing data typed into browsers. “It’s a solid bet other malware authors will not only appropriate Rombertik’s tactics but may make them even more destructive,” the report says.
Sandbox detection in malware is on the rise, making it harder for enterprises to discover it.
The report says spam levels remain about the same and that coding errors continue to introduce exploitable flaws into software. “Vendors need to place more emphasis on security within the development lifecycle, or they will continue to spend time and money on catch-up efforts to detect, fix, and report vulnerabilities,” the report says.
Java-based exploits are on the decline, with no zero-day exploits being discovered since 2013. Improved patching and security improvements have made the difference, Cisco says.