December 27, 2024

Recently Patched Flash Player Vulnerability Added to Exploit Kit

Posted on October 23, 2014 by in Security

An exploit for a Flash Player vulnerability that was patched just over one week ago by Adobe has already been added by cybercriminals to an exploit kit.

The French malware researcher know as “Kafeine” was the one who first noticed the integration of the exploit for CVE-2014-0569, a Flash Player integer overflow flaw that could lead to arbitrary code execution, into the Fiesta exploit kit. The expert made the discovery while trying to analyze a different Flash vulnerability (CVE-2014-0556).

The vulnerability was reported to Adobe privately through HP’s Zero Day Initiative (ZDI) program so everyone is wondering how the cybercriminals managed to get their hands on the exploit in such a short period of time.

Kafeine told SecurityWeek that he believes the cybercriminals reverse engineered the patch released by Adobe to build their exploit.

“The criminals built this vulnerability into an exploit kit in record time. Whether they were given a heads-up, or just have a highly skilled reverse engineer, both scenarios are equally worrisome as it increases the possible window of infection,” Jerome Segura, senior security researcher from Malwarebytes Labs, told SecurityWeek. “Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. Browsing the net on an unpatched computer is like playing Russian roulette with a handful of loaded guns.”

“The bad guys are not going to run short of vulnerabilities they can weaponize, and if this happens at a quicker rate than ever before, their success rate will increase. This leaves end users with very little room for mistakes, such as failing to diligently apply security patches sooner rather than later,” Segura added.

Initially, Kafeine believed the exploit for CVE-2014-0569 was integrated into the Angler exploit kit as well, but in an update made to his original blog post, the researcher noted that the exploit included in Angler actually appears to be for a different Flash vulnerability patched by Adobe last week.

In the case of the Angler exploit kit, the first payload that’s distributed is Bedep (detected by Malwarebytes as Trojan.FakeMS.ED), which enrolls infected computers into a botnet. The final payload is a variant of the notorious Zeus banking Trojan, Kafeine said.

Both the Fiesta and Angler exploit kits are popular among cybercriminals. Angler was recently involved in a malvertising campaign targeting several high-profile websites, including Java.com.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Attackers Exploit Heartbleed Flaw to Bypass Two-factor Authentication, Hijack User Sessions: Mandiant

Posted on April 19, 2014 by in Security

Attackers Exploit Heartbleed Vulnerability to Circumvent Multi-factor Authentication on VPNs and Hijack Active User Sessions

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged earlier this month, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

Originally, one of the key concerns about the vulnerability was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed. As it turns out, through an experiment setup by CloudFlare, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit. 

Now, according to researchers at Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. 

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”

The victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek.

According to Mandiant, the following evidence proved the attacker had stolen legitimate user session tokens:

1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.

2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.

3. The timestamps associated with the IP address changes were often within one to two seconds of each other.

4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.

5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.

Additional details and remediation advice are available from Mandiant.

The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”

The NSA has denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.

Earlier this week, Canadian police arrested and charged a 19-year-old man for stealing the data of 900 Canadian taxpayers’ data through an attack that exploited the Heartbleed bug.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed