Hacking Team Flash Zero-Day Integrated Into Exploit Kits
Feedback from the Trend Micro™ Smart Protection Network™ has allowed us to learn that the Angler Exploit Kit and Nuclear Exploit Pack have been updated to include the recent Hacking Team Flash zero-day. In addition, Kafeine said, Neutrino Exploit Kit also has included this zero-day.
The existence of this particular vulnerability was just leaked from Hacking Team; Adobe has confirmed this vulnerability and released an advisory. This advisory also confirms that this flaw has been assigned a CVE number, CVE-2015-5119. Adobe’s bulletin also confirms that all versions of Flash Player in use today are potentially vulnerable.
All Flash Player users are at risk until they can download the patch. It is expected that a patch will be delivered by Adobe sometime on July 8. We noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that pattern shows no sign of changing soon.
Figure 1. Angler exploit kit HTTP GET header
Figure 2. Nuclear exploit kit HTTP GET header
We have identified one of the payloads being spread in this manner as CryptoWall 3.0, particularly by the Angler exploit kit.
Figure 3. Cryptowall ransom page
Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.
The SHA1 hashes of the malicious Adobe Flash exploits are: