Magnitude Kit Exploiting Flash Zero Day, Dropping Cryptowall

Exploits for the recently patched Adobe Flash Player zero-day have appeared in the Magnitude Exploit Kit and are leading to Cryptowall ransomware infections.

The urgency to patch Adobe Flash Player installations ramped up over the weekend when exploits for a recently patched zero-day vulnerability were found in the Magnitude Exploit Kit.

French researcher Kafeine said on Sunday that a sample he encountered was dropping two instances of Cryptowall ransomware against a Windows 7 computer running Internet Explorer 11. Cryptowall is a strain of ransomware that encrypts files on a victim’s computer and demandsĀ a ransom, generally paid in Bitcoin. The FBI last week said that consumers have reported losses of more than $18 million related to Cryptowall infections.

An emergency out-of-band update for Flash was released June 23 that patched a vulnerability being exploited in targeted attacks by a group linked to China, said security company FireEye.

Flash vulnerabilities are a favorite attack vector for criminal hackers and nation-state groups because of the player’s ubiquity on Windows machines especially. These groups are moving quickly in developing exploits for patched vulnerabilities; Kafeine said it took only four days for this one to show up in Magnitude, for example.

This vulnerability should be prioritized becauseĀ it has been publicly exploited since at least the start of June and users were exposed nearly three weeks, researchers at FireEye said.

The group responsible, dubbed APT3 by FireEye, has used its exploits to target critical industries such as aerospace and defense, construction and engineering, high tech companies, telecommunications and transportation organizations. Researchers said the attackers are casting a wide net with phishing emails that look more like spam-type messages soliciting low-cost Apple gear. A link in the messaging points to websites controlled by the APT group that holds the Flash exploit that includes a backdoor known as SHOTPUT used to move stolen data off infected machines. The group, which is believed to be behind last year’s Clandestine Fox operation, primarily covets intellectual property.

“Any time one of these groups is using a zero day and casting such a wide net, it’s pretty significant, especially since the activity started in early June and a patch was not released until today,” FireEye intel operations manager Mike Oppenheim told Threatpost last week. “That’s a big window, and possibly tons of victims affected.

“For victims that have been exploited, they are fast to move,” Oppenheim said. “If you’ve already been exploited, they are already moving along with lateral movement in the network, grabbing credentials and dropping more backdoors.”

Now that criminals have absorbed the exploits into Magnitude, they expect to turn a profit against unpatched machines by infecting them with Cryptowall, fast becoming one of the most prolific crypto-ransomware tools in use.

Close to three weeks ago, the SANS Institute warned that it was observing a spike in Angler Exploit Kit traffic containing Cryptowall 3.0 ransomware. The same group, SANS said, could also have been behind a simultaneous spam campaign pushing the same version of Cryptowall. Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks.

Suggested articles