The zero-day vulnerability in Adobe Flash Player that was uncovered this week is still being exploited—despite Adobe issuing an emergency patch this morning. And worse, it’s now being enlisted in a widespread malvertising campaign.
The flaw affects any version of Internet Explorer or Mozilla Firefox with any version of Windows if Flash is up to date and enabled. Google’s Chrome browser, so far, is immune.
The Angler exploit kit was found to be exploiting the issue in the wild, dropping the trojan downloader Bedep—which in turn is being used for two main purposes: hijacking PCs for ad fraud and for downloading ransomware like CryptoLocker. In the former case, an infected PC becomes a zombie in a botnet that generates fake clicks on ads for pay-per-click revenue; and in the former, victims’ files are held hostage in return for payment.
In addition, Cyphort Labs has detected a new malvertising campaign with multiple websites and 20 infected domains redirecting visitors to malware—again, via the Angler EK. The sites are redirecting the users to an ad from an affiliate ad-network, affiliate.affyield.com, which claims to be a part of Affiture, subsidiary of CPXI, a privately held digital advertising company based in New York. According to the website, it sounds legitimate, with revenue of $116 million last year and a listing on Forbes’ list of America’s Most Promising Companies. Cyphort contacted the company but has yet to get a response.
Interestingly, if a web denizen accesses an infected website from a browser that is not vulnerable to the exploits (i.e., via Chrome), the site will redirect visitors through to a different chain, to a scam site, asking them to call a toll-free 855 number to fix a “virus problem”
Meanwhile, security white hat Kafeine, who first discovered the issue, noted today via tweet that despite the patch being issued by Adobe, a fully updated Windows 8.1 machine was still found to be vulnerable. Cyphort also tested and confirmed that the patched version is still vulnerable to the exploit being used in the malvertising campaign.
An immediate (and simple) short-term fix to avoid compromise is to disable Flash Player in all web browsers (even Chrome, to be on the safe side) until Adobe releases a patch that works.