US-CERT is advising on a use-after-free (UAF) vulnerability in Adobe Flash (CVE-2015-5119); it was leaked as a result of the hack and subsequent dump of Hacking Team’s email and source code, and is now being leveraged in a fresh round of phishing campaigns.
This 48-hour integration window from disclosure to exploitation is short and relatively unique, and highlights how challenging defense can be when under the threat of a seemingly endless supply of client-side zero-day exploits.
The advisory noted that campaigns target US government agencies and private sector organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited with the vulnerability, while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.
Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.
“The HackingTeam exploit was already weaponized, in that it was fully productized, tested and documented,” said Dan Ingevaldson, CTO at Easy Solutions, in a blog. “There is a big difference between normal proof-of-concept exploit code and fully weaponized exploit code—probably on the order of many man-weeks to ensure stability across multiple OSs, browsers, evasions and crash-free execution.”
He added that phishing attacks remain the most obvious and effective vector for exploitation of these vulnerabilities, and that the pace is incredibly accelerated.
“It is still nearly impossible to prevent exploitation by zero-day attacks via email,” Ingevaldson said. “But it is much more realistic to stop the higher probability of successful attacks in the period immediately after disclosure, when exploit code is in the wild and patches have not yet been deployed—in this case, the time immediately after July 5th.”
The end of the Hacking Team zero-day bonanza seems to be nowhere in sight. Users should of course exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known—especially ZIP files.
Users should also avoid clicking directly on website links in emails and should attempt to verify web addresses independently.