Cisco: Flash exploits are soaring

Exploit kits are more successful because enterprises don’t patch fast enough

cisco report
Cisco is reporting that successful exploits of Flash vulnerabilities are soaring, partly because they are rapidly being incorporated in kits that take advantage of the flaws as well as because enterprises aren’t patching fast enough, which leaves them open to attack.

For the first five months of 2015, the Common Vulnerabilities and Exposures project has reported 62 Adobe Flash Player vulnerabilities that resulted in code execution on user machines, Cisco says in its 2015 Midyear Security Report.

That’s more than the annual totals for any year back to 2001. The closest year was 2012 with 57 such vulnerabilities, but CVE still has seven more months to report on in 2015.

Cisco says Flash exploits are being rapidly integrated into widely used exploit kits such as Angler and Nuclear. Authors of the Angler and Nuclear kits included exploits of newly published vulnerabilities within days of them being publicly announced, the report says, and Flash upgrades by users lag.

The effectiveness of the exploits in these kits is enhanced by the fact that users are failing to install updates that patch the vulnerabilities in a timely manner, Cisco says. “It appears many users have difficulty staying on top of Adobe Flash updates and perhaps may not even be aware of some upgrades,” the report says.

+ ALSO ON NETWORK WORLD Jane Austen lets the boogie man in: Cisco report +

In addition to quickly jumping on new exploits, Angler has other features that boost its effectiveness, Cisco says, enough so that the report crowns Angler as the leader in exploit-kit sophistication and effectiveness.

That’s because the kit can identify which weaknesses victim machines have and downloads appropriate malicious payloads to exploit them, Cisco says. Angler’s success rate is 40% against devices that hit one of its landing pages. That compares to just 20% on average for all other exploit kits, the report says.

Angler uses domain shadowing to trick victims. This is the practice of compromising the accounts of legitimate domain-name registrants, then creating subdomain names in their accounts. They use the subdomains to point to Angler servers that host malicious landing pages.

Cisco says Angler is responsible for 75% of all known subdomain activity of this sort by exploit kit authors since last December. In addition, the actors behind Angler change the IP addresses of their malicious sites many times per day to avoid detection.

Often the malware they deliver is ransomware, such as Cryptowall that encrypts victim machines until the victims pay a sum to have them decrypted.

The Cisco report also says these exploit kits also deploy Dridex, a banking malware that relies on Microsoft Office vulnerabilities to wage malicious macro attacks. They typically go undetected long enough to be effective then cease after antivirus vendors publish signatures for them.

Corporate security pros need to be on the lookout for malware designed to evade detection and also damage the operating systems of the machines it infects if detection efforts become too persistent, the report says. It uses Rombertik as an example of such malware because it performs pointless operations while it is in security sandboxes in an effort to wait out analysis or to delay discovery.

Rombertik attempts to overwrite master boot records and if it fails, will destroy all files in users’ home folders. Should it go undetected, then it starts its primary function, stealing data typed into browsers. “It’s a solid bet other malware authors will not only appropriate Rombertik’s tactics but may make them even more destructive,” the report says.

Sandbox detection in malware is on the rise, making it harder for enterprises to discover it.

The report says spam levels remain about the same and that coding errors continue to introduce exploitable flaws into software. “Vendors need to place more emphasis on security within the development lifecycle, or they will continue to spend time and money on catch-up efforts to detect, fix, and report vulnerabilities,” the report says.

Java-based exploits are on the decline, with no zero-day exploits being discovered since 2013. Improved patching and security improvements have made the difference, Cisco says.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts