Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
The Vulnerability
Last Week, Adobe released security update for a Critical Vulnerability, CVE-2015-3113 that affects Adobe Flash on Windows, Mac and Linux. CVE-2015-3113.
This may allow remote attackers to execute arbitrary code.
In The Wild Attacks
There were reports of the “In The Wild Zero Day Attacks” affecting Windows 7 with Internet Explorer and Windows XP with Firefox.
Fireeye reported Operation Clandestine Wolf, which was utilizing this vulnerability as an initial point in infecting victims.
Here is the sequence of steps that amount for a successful exploitation:
Lets take a look at the malicious Flash file.
Here is the detection rate as seen in Virustotal.
Here is how the Flash file is constructed, do observe a couple of Binary Data blocks. These are later referenced in ActionScript.
Here is the decompilation of the ActionScript embedded in the Flash File.
We can see the control flow where encrypted data is decrypted using a specified key. This is achieved using some array manipulations followed by decode function call.
This function converts the byte array to an integer array.
This is the actual logic of the “decode” routine that utilizes XOR decryption.
Advanced Exploitation Techniques
The exploit has to rely on advanced techniques like Heap Spray and ROP Chain to bypass security mechanisms like DEP, ASLR.
Attribution
This attack was attributed to China Based Threat Actor, APT3 based on the similarities with Operation Clandestine Fox reported last year. Here, the threat actors similarly had exploited a Zero Day in Internet Explorer before downloading Backdoor on the Victim’s systems and eventually achieving lateral movement across multiple hosts.
They have also been blamed to target high profile industries like Construction, Aerospace, Defense, Telecommunications, etc
Remediation
Adobe has already released a fix for this vulnerability thus make sure your systems are patched.
Since, it was a Zero day affecting patched versions, you should also consider if disabling Adobe Flash is an option.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.