Flash 0-day being distributed by Angler Exploit Kit
Posted by ngriffin on 22 January 2015 10:11 AM
Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine, is known to affect the latest 126.96.36.1997 version of Flash Player and has been seen dropping a trojan downloader called Bedep.
[UPDATE] 23 January 2015
Adobe released an update to Flash Player on 22 January 2015 although it does not patch the issue discussed in this blog.
In a further announcement Adobe are hoping to patch CVE-2015-0311 (the vulnerability discussed in this blog and by Adobe here) on 26 January 2015.
The Adobe Flash Player samples that exploit this vulnerability have been shared with Websense, and protection for these malicious files are in place. Adobe have been made aware of this issue and are currently investigating. At the present time, it is not possible to disclose further information regarding specific details of this threat.
Currently, it is known that Angler Exploit Kit is exploiting this Flash Player vulnerability. As we have mentioned previously, it is becoming a growing trend for exploit kits to drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits. Utilizing vulnerabilities in these popular applications provides attackers with a large surface area of vulnerable clients. Due to the nature of exploit kits, Websense technology is able to target the threat at multiple stages and ensure that protection remains in place independent of the exploits used.
At the present time, Adobe have yet to release a patch for Adobe Flash Player. One persistent solution, for the time being, is to disable Flash Player in your browser until such time as a patch becomes available.
Websense Security Labs will continue to investigate this issue as more information becomes available.
Read more »
Fiesta Exploits Kit Targeting High Alexa-Ranked Site
Posted by Sindyan on 25 March 2014 09:37 PM
Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have identified a new malicious attack targeting hxxp://www.mapsofworld.com/, a high Alexa-ranked site in the top 10,000 most visited sites. The site has been compromised and injected with malicious code.
The infection utilizes an iframe redirection method that redirects users to suspicious Dynamic DNS URLs hosted on different providers:
The iframe redirects users to a malicious website hosting the Fiesta exploit kit. During the first few hours of the attack, we have noticed several different URLs being used by the attackers.
Once the user visits the site, a popup window displays and asks the user to click to get more information from Java support.
The iframe leads the user to a redirection loop on the same Dynamic DNS subdomain and eventually ends up with the exploit kit automatically installing a malicious file onto the computer without the user's knowledge.
This injection was hard to spot as the injected code seems to fluctuate. One minute it’s there; the next minute, it’s not. This is where Websense Advanced Classification Engine (ACE) plays a great role in blocking the threat in real time as the threat appears. Unlike other solutions using static defenses that mirror what you have, ACE in the Cloud provides unique real-time defense assessments for security, data, and content analysis. Webpage content, active scripts, exploit code, obfuscated commands, and web redirects are analyzed in real time along with malicious files, PDFs, and executables. ACE combines seven security defense assessment areas that work together in a predictive composite scoring defense against advanced threats and targeted attacks as they emerge.
Websense Security Labs has observed a number of other high Alexa-ranked sites being targeted in the past few days:
Top countries affected are the U.S., India, and the United Kingdom.
Websense customers are protected from these and other threats by the Websense Advanced Classification Engine.
Read more »