US-CERT published an advisory titled, “TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations”. One of the vulnerabilities leveraged in these new phishing campaigns is a use-after-free (UAF) vulnerability in Adobe Flash (CVE-2015-5119). This vulnerability is particularly interesting because it was leaked as a result of the hack and subsequent dump of HackingTeam’s email and source code. What is interesting here is not the existence of the vulnerability, but how this case underlines the massively asymmetric situation that defenders find themselves in.
The HackingTeam exploit was already “weaponized”, in that it was fully productized, tested and documented. There is a big difference between normal proof-of-concept exploit code and fully weaponized exploit code—probably on the order of many man-weeks to ensure stability across multiple OSs, browsers, evasions and crash-free execution. HackingTeam was hacked on July 5th, the exploit was “found” in the published archive on July 7th, and immediately added to hacking kits like Angler and Nuclear.
This ~48 hour integration window from disclosure to exploitation is short and relatively unique because weaponized code doesn’t make it into the wild that often, but it highlights how challenging defense can be when under the threat of a seemingly endless supply of client-side zero-day exploits.
Phishing attacks remain the most obvious and effective vector for exploitation of these vulnerabilities. However, some classes of these vulnerabilities are completely preventable in 2015. Flash itself has been under assault by the security community for years, due to its unique ability to be both permanently vulnerable to attack, grant attackers elevated privilege, and still be considered fairly ubiquitous. Several prominent security professionals and researchers have called for the public execution of Flash and its permanent removal from all web browsers. As proven by Apple after the initial release of the iPhone, it is possible to use the Web without Flash and Flash’s popularity has steadily been on the decline.
It is still nearly impossible to prevent exploitation by zero-day attacks via email. But it is much more realistic to stop the higher probability of successful attacks in the period immediately after disclosure, when exploit code is in the wild and patches have not yet been deployed—in this case, the time immediately after July 5th.
As a defender, ask yourself, do you need to accept zip or archived attachments from the outside? What about encrypted/password-protected archives? It is 2015 and there are much better solutions to send and receive files other than email attachments. Have you deployed DMARC validation on inbound email to decrease the likelihood of spoofed emails that contain malware? Do your users absolutely require Flash? If so, should you accelerate your efforts to stop your reliance on Flash and other browser plugins.
Easy Solutions does business primarily with financial services organizations around the world. Many if not most of them simply block inbound email attachments or use layers of rules to ensure that the many email-based attack vectors are closed from the outside. They are still able to function quite well with the added benefit of not being a sitting duck for the next zero-day seeded phishing campaign.[su_box title=”About Easy Solutions” style=”noise” box_color=”#336588″]
Easy Solutions is a security vendor exclusively focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. Our products range from fraud intelligence and secure browsing to multi-factor authentication and transaction anomaly detection, offering a one-stop shop for end-to-end fraud protection. The online activities of over 70 million customers at 240 leading financial services companies, security firms, retailers, airlines and other entities in the US and abroad are protected by Easy Solutions Total Fraud Protection platform.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.