Cisco is reporting that successful exploits of Flash vulnerabilities are soaring, partly because they are rapidly being incorporated in kits that take advantage of the flaws as well as because enterprises aren’t patching fast enough, which leaves them open to attack.
For the first five months of 2015, the Common Vulnerabilities and Exposures project has reported 62 Adobe Flash Player vulnerabilities that resulted in code execution on user machines, Cisco says in its 2015 Midyear Security Report.
That’s more than the annual totals for any year back to 2001. The closest year was 2012 with 57 such vulnerabilities, but CVE still has seven more months to report on in 2015.
Cisco says Flash exploits are being rapidly integrated into widely used exploit kits such as Angler and Nuclear. Authors of the Angler and Nuclear kits included exploits of newly published vulnerabilities within days of them being publicly announced, the report says, and Flash upgrades by users lag.
The effectiveness of the exploits in these kits is enhanced by the fact that users are failing to install updates that patch the vulnerabilities in a timely manner, Cisco says. “It appears many users have difficulty staying on top of Adobe Flash updates and perhaps may not even be aware of some upgrades,” the report says.
In addition to quickly jumping on new exploits, Angler has other features that boost its effectiveness, Cisco says, enough so that the report crowns Angler as the leader in exploit-kit sophistication and effectiveness.
That’s because the kit can identify which weaknesses victim machines have and downloads appropriate malicious payloads to exploit them, Cisco says. Angler’s success rate is 40 percent against devices that hit one of its landing pages. That compares to just 20 percent on average for all other exploit kits, the report says.
Angler uses domain shadowing to trick victims. This is the practice of compromising the accounts of legitimate domain-name registrants, then creating subdomain names in their accounts. They use the subdomains to point to Angler servers that host malicious landing pages.
Cisco says Angler is responsible for 75 percent of all known subdomain activity of this sort by exploit kit authors since last December. In addition, the actors behind Angler change the IP addresses of their malicious sites many times per day to avoid detection.
Often the malware they deliver is ransomware, such as Cryptowall that encrypts victim machines until the victims pay a sum to have them decrypted.
The Cisco report also says these exploit kits also deploy Dridex, a banking malware that relies on Microsoft Office vulnerabilities to wage malicious macro attacks. They typically go undetected long enough to be effective then cease after antivirus vendors publish signatures for them.
Sign up for Computerworld eNewsletters.