Latest Flash hole already exploited to deliver ransomware – update now!

Thanks to Andrew O’Donnell and Fraser Howard of SophosLabs for their behind-the-scenes work on this article.

Are you still using Flash in your browser?

If so, make certain you’ve got the latest update from Adobe, even though it only came out last week.

Ideally, you’ll have, announced in Adobe Security Bulletin APSB15-14, issued on 2015-06-23.

→ Windows and Mac users can optionally choose the Extended Support Release, which is an old version retrofitted with the latest necessary security fixes. That one is numbered Linux users are stuck back on Flash 11, for which the current update is

Adobe still delivers its routine patches on Update Tuesday, the second Tuesday of every month, so last week’s patch was of the unexpected, emergency sort.

Targted attacks to start with

The bug that was fixed is designated CVE-2015-3133, and it is a remote code execution (RCE) bug that Adobe admitted was “being actively exploited in the wild via limited, targeted attacks.”

However, Adobe went on to temper that statement by adding, “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

Whether that’s because the threat mitigations in Windows 8 and above make this vulnerability too hard to exploit, or simply because the victims being targeted were known in advance to be running older versions of Windows, is not clear.

One thing is for sure, though: there’s still a lot of XP about.

The announcement that the US Navy just paid for a year of extended support for XP – more than a year after official support ended anyway – was a blunt reminder of that.

As colleague Chester Wisniewski pointed out [0’43”] in this week’s Chet Chat podcast:

After all the news of the breaches in all these different government agencies..., it was a little concerning to think that we're not down to the shortlist of the last 500 machines over here in the corner, but 100,000 [Navy computers] still running XP.

(Audio player above not working? Download MP3 or listen on Soundcloud.)

In fact, by some accounts, Windows XP is still more widely used worldwide than all versions of OS X out there, and only a shade behind Windows 8 and 8.1 combined.

Cybercrooks join the attacks

As documented by well-known independent malware researcher Kafeine, attack code using of the CVE-2015-3113 Flash bug has already been packaged by crooks into an exploit kit called Magnitude.

Exploit kits, don’t forget, are part of the “pay-per-install” ecosystem of modern crimeware.

Instead of battling to build a specific exploit into your own malware so you can attack unsuspecting users with a drive-by download, you just buy or rent access to an exploit kit (EK).

Typically, that’s a server, perhaps “borrowed” from an unsuspecting system administrator whose Linux security isn’t up to scratch, that is already rigged up with malicious JavaScript pages designed to unleash any of a number of pre-packaged exploits.

The JavaScript in the EK usually tries to work out which exploits are most likely to work in a victim’s browser, for example by checking version numbers and available plug-ins, and then runs the most promising exploits in turn until one of them works.

At that point, if you’re the crook, it’s up to you what you want the EK to deliver.

Weapon of choice

So far, it looks as though the malware of choice that’s pushed out by the crooks behind these attacks is ransomware of the Crypto Defense family.

Cryptoransomware, of course, is a particularly odious sort of malware that leaves your computer running fine, but scrambles your data files and then demands a fee for the decryption key to unlock them.

If you don’t have a backup, and the crooks have done their cryptographic programming correctly, then paying up is about the only way to see your files again.

What to do?

Prevention, obviously, is what you want, especially where the data-scrambling payload of ransomware is concerned.

Here are some tips:

  • If you don’t need Flash, don’t install it at all. To find out if you actually need it, rather than assuming you need it, try living without it for a week or two. You may get a pleasant surprise.
  • If you need Flash only occasionally, use click-to-play. That’s where your browser asks you every time whether you want to let a page use Flash. Or turn the Flash plugin off altogether except for the times you know you need it.
  • If you have Flash, don’t lag behind on updates. Even automatic updates can take a while to turn up, becaue Adobe spreads the load randomly amongst its users. You can jump the queue by checking for updates manually.
  • If you’re still running Windows XP, please don’t. Vulnerabilities that are really difficult for crooks to exploit on Windows 7 and later – as good as impossible, in fact – can often be still turned into working attacks against Windows XP.
  • Keep your anti-virus turned on and up-to-date. A good anti-virus can block this sort of attack at multiple points, e.g. by blocking the web page where the EK is hosted; blocking the EK’s JavaScript component; blocking the Flash exploit itself; and blocking the ransomware it would grab next.
  • Don’t skip making backups. If you don’t have a good enough backup to recover from ransomware, you are at risk of any number of other potential data disasters, too. These include accidental deletion, a failed hard drive, and a lost or stolen laptop.

NB. Sophos products block the threat components mentioned above under numerous names. Detections you may see include: Mal/ExpJS-BU (exploit kit JavaScript), Exp/20153113-A (Flash files exploiting CVE-2015-3113) and Troj/Ransom-AXO (ransomware seen in attacks).

Free Virus Removal Tool

The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Click to go to download page...