Latest Flash Zero Day Being Used to Push Ransomware

four year old flash bug

Exploits for an Adobe Flash Player zero day vulnerability have been folded into two exploit kits that are distributing ransomware to infected machines.

Exploits for a zero-day vulnerability in Adobe Flash Player are being aggressively distributed in two exploit kits. The zero day, meanwhile, was patched by Adobe in an emergency update released Thursday night.

Attackers are using the previously unpatched flaw in the maligned Flash Player to infect victims with either Locky or Cerber ransomware. Locky is a relatively new crypto-ransomware strain, spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. Cerber is also crypto-ransomware that includes a feature where the infected machine will speak to the victim.

This turn in using the exploit kits to move ransomware isn’t new, but does escalate the distribution of Locky in particular, which is believed to be at the heart of a number of high-profile compromises in the health care industry.

Researchers at Proofpoint said the zero day has been folded into both the Nuclear and Magnitude exploit kits, with Nuclear infections pushing Locky and Magnitude spreading Cerber.

The zero day vulnerability affects all versions of Flash Player on Windows 10 and earlier, said Kevin Epstein, vice president of Proofpoint’s threat operations center. Today’s update patched two dozen vulnerabilities, including the zero day; most the flaws were memory corruption bugs, as well as use-after-free, type-confusion and stack overflaws, in addition to a security bypass vulnerability.

While the attackers have hundreds of millions of potential targets at their disposal with the zero day, they have limited this particular exploit to older versions of Flash Player, Epstein said.

“The interesting thing about this distribution of the exploit is that the attackers don’t appear to have taken full advantage of the exploit,” he said. “It’s not clear if they fully understood what they had. It is a zero day, but within this exploit kit, it’s only targeting earlier versions of Flash. They’ve self-limited their target audience, and it’s not clear why.”

Nonetheless, the exploit has been aggressively distributed, and for some time. While the Magnitude distribution of Cerber ransomware was found only in the last 72 hours, Epstein said Nuclear has been pushing Locky using this exploit since March 31.

The scale of these attacks has the potential to be massive, Proofpoint said. While both Nuclear and Magnitude are not as prevalent on the scale of the Angler EK, they are effective and popular choices on the black market. Combine that with previous distributions of Locky in a number of spam campaigns, some of them reaching multimillions of email messages a day, according to Proofpoint, and there is the potential for longstanding trouble.

Adobe said in an advanced notification two days ago that an exploit could crash a system and allow attackers to execute arbitrary code on a compromised machine. Adobe added that a mitigation introduced on March 10 in Flash 21.0.0.182 protects users against attack; users are urged to update immediately. Adobe said active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 20.0.0.306 and earlier.

“The nature of vulnerability allows the attackers to execute arbitrary code on your machine; in this case, the Flash exploit is assisting the attacker to write arbitrary instructions to a point in memory,” Epstein said. “That set of instructions in this case downloads the ransomware and executes it.”

Epstein said that the exploit is checking only for older versions of Flash Player, even though all versions prior to today’s update are vulnerable.

The escalation of ransomware is alarming with new capabilities being regularly added to new strains. Ransomware such as Locky, for example, will encrypt all files stored on a machine and will seek out other machines on network shares, or even online backups the target machine may have access to. Vicitms are prompted to pay via Bitcoin relatively inexpensive ransoms in order to retrieve their locked files.

“Ransomware, we suspect because of the macro economic ROI is something that’s going to be a growing problem,” Epstein said. “It’s here to stay a while.”

Suggested articles