The latest Adobe Flash Player update has once again proven problematic. We have discovered yet another revision of a pre-existing Angler Exploit Kit disseminating Cryptowall. A customer’s host was compromised following Angler Exploit redirects, dated June 1, 2015, June 16, 2015, and June 30th, 2015, showing that as new adaptations of the kit are added, the older ones are still in use. The latest, June 30th, is more recent than the most up to date patch for Adobe Flash Player 17, version 188.8.131.52. “Customers that are enrolled in “Allow Adobe to Install Updates (recommended)” but have not updated to Flash Player version 18 will receive a new and secure version of Flash Player 17 over the next 24 hours. ”
MetaFlows customers are encouraged to enable automatic blocking for Level 1 Events, which currently include the Angler Exploit rules (https://nsm.metaflows.com/sid_priority.map), or creating specific block rules to match Angler EK events.
The figure shows an example of the events that are triggered during an Angler Exploit attempt and infection with Cryptowall.
Adobe Flash is an extremely severe vulnerability when it comes to Crypto-locker/CryptoWall, It seems that every time Adobe comes up with a new patch, the Crypto hackers are quick to discover how to break it. The latest CryptoWall bonanza was the security vulnerability discovered in an Adobe update that was released on May 18th. This is not a singular occurrence, but is rather a part of a larger trend of exploiting security holes in Adobe software.
Just this week, Adobe’s last round of updates for Flash Player have proven problematic. These are new vulnerabilities are being used by the Angler exploit kit, a kit that has been around for some time, a kit that has now found fresh ground. These exploits are used to distribute Cryptowall, as well as other forms of malware. The intent is to encrypt (steal or take data hostage), take over (root kit or remote access tools), or recruit (make it a part of a botnet).
MetaFlows catches these types of fresh exploits better than any other security tool (according to many of our customer).
Several analysts using our system praise us. While they are running several other security products, MetaFlows was the only one to identify this threats. We were able to identify the behavior patterns that were triggered when this exploit was seen on a live network:
As you can see, the IDS events identify the individual behaviors, and our correlation engine recognizes the use of Angler toolkit to infect the target with the intended payload. In this case, it is Cryptowall, a ransomware program that has cost over an estimated $18 million from U.S. users alone. In some other cases odd behavior left undetected can cost the reputation of a brand and cause irreparable loss in intellectual property.
Criminals are swift to take advantage of any emerging opportunity that can penetrate the perimeter (it has become BIG money). You need to start monitoring the behavior of your internal hosts not only the perimeter. Our behavioral analysis and correlation engine are able to identify these threats, even when they occur across multiple sessions and employing zero-day techniques that make it through your perimeter defenses.
Our security professionals have identified the issue and are working to keep our subscriber’s networks and systems safe while Adobe has updated their Security Bulletin site with the appropriate information. Users are advised to download the newest Adobe Flash update immediately. As evidenced by our findings, criminals are swift to take advantage of any opportunity and so employing new advanced detection technologies like the one offered by MetaFlows is key to preventing expensive and sometimes irreparable IT disasters.