June 1, 2016 Thu T.

New Critical Flash Vulnerability Targets Unpatched Devices to Steal Passwords

It took less than two weeks for malicious hackers to add a new critical Adobe Flash Player vulnerability into an exploit kit used to install malware on computers, according to PCWorld.com.

Discovered by FireEye earlier this month, the Flash vulnerability (CVE-2016-4117) was used in targeted attacks involving embedded Flash content in Microsoft Office documents. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code and take control of the affected system. The vulnerability affects Flash version 21.0.0.226 and earlier. Get more information about how to update your system in the Adobe Security Bulletin.

Last week, the vulnerability was found in the popular exploit kits Angler, Magnitude and Neutrino. These kits are often sent to users via phishing email attachments, or linked within the email message. They can also spread in malvertising campaigns; ads that are hijacked by attackers to send users to a malicious site that launches an exploit kit.

The Spread of Credential-Stealing Malware & Ransomware

According to Threatpost, the Angler exploit kit is exploiting a vulnerability that affects an older version of Flash to install the Dridex banking Trojan. Dridex steals banking credentials and, as was more recently discovered, credit card information, according to Dark Reading. The malware leverages malicious macros embedded in Office documents to install itself.

The Angler exploit kit has also incorporated Gootkit, a Trojan that steals confidential information, opens up a backdoor and downloads additional files on a compromised computer.

The Magnitude exploit kit has been primarily spreading the Cerber ransomware to its victims. SCMagazine.com reports this type of ransomware resides only in RAM memory, not on a hard drive. That makes it difficult for antivirus solutions to detect, and makes it a popular pick for online criminals.

Ransomware is a type of malware that encrypts all of the files on your computer and restricts user access to programs and applications. Attackers hold your data hostage until you pay their ransom. Learn more about ransomware in Updating Devices to Protect Against the Threat of Ransomware.

In a white paper from SANS.org, a drive-by download campaign involving the Neutrino exploit kit was researched in January 2016. A drive-by download attack downloads malicious code on your device after you visit a web page (no need to click or accept any software downloads or updates). In this case, Neutrino was found to be spreading the CryptoWall ransomware.

How Many Are Affected?

In an analysis of Duo’s dataset of two million devices, we found that 60 percent are running an outdated version of Flash on their enterprise devices used to log into business applications.

Since many people use their own personal smartphones, laptops, tablets and other devices to access work apps, they may not realize that a new version of Flash or emergency patch has been released.

That means they’re susceptible to exploit kit attacks that leverage the recently-patched Flash vulnerability, not to mention the other 700+ known vulnerabilities, to download malware on devices. And that means your business applications and data are at risk, too.

Protecting Against Flash Exploits and Malware

These attack vectors require a few conditions to work successfully in compromising users and companies:

1. An outdated version of Flash running on the targeted device
2. Applications protected only by a single factor of authentication - a username and password

So cover all your bases and implement a few access security controls to stop the attacks from succeeding:

1. An endpoint visibility solution that detects outdated devices authenticating to your applications, and allows you to block them until they’re updated.
2. A two-factor authentication solution that both gives your users easy and secure access, protecting against malware that steals your passwords.

Duo provides a Trusted Access solution that offers both. Download The 2016 Duo Trusted Access Report to find out more about the current state of device security health and how to protect against the risks related to outdated devices.