This post was authored by Nick Biasini, Earl Carter and Jaeson Schultz

Flash has long been a favorite target among Exploit Kits (EK). In October 2014 the Angler EK was believed to be targeting a new Flash vulnerability. The bug that the Angler exploit kit was attempting to exploit had been “accidentally” patched by Adobe’s APSB14-22 update. According to F-Secure, the vulnerability that Angler was actually attempting to exploit was an entirely new bug, CVE-2014-8439. The bug was severe enough that Adobe fixed it out-of-band.

Fast forward to January 2015. With the emergence of this new Flash 0-day bug, we have more evidence that the Angler Exploit Kit developers are actively working on discovering fresh bugs in Flash for themselves. The group is incorporating these exploits into the Angler EK *before* the bugs are publicized. Considering these 0-day exploits are being used alongside one of Angler’s preferred methods of distribution, malvertising, thus intensifying the potential for large-scale compromise.

On January 22, 2015, Adobe released update APSB15-02, which fixes CVE-2015-0310, a bypass of memory randomization mitigations in Flash. However, this new Flash bug is different, and is not fixed by APSB15-02. Adobe has sinced released a security advisory about a new Flash bug, CVE-2015-0311. According to Adobe, “this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.” This correlates nicely with Talos’ own data which suggests the EK is targeting specific browsers.  We have seen evidence in telemetry of the 0-day only being served to specific User Agents.  Chrome based or non-standard user agents are being served other exploits but the 0-day is being omitted. Unfortunately, a fix for CVE-2015-0311 will not be released until the week of January 26th.

There was a spike of traffic utilizing the 0-day beginning on January 20th, all of which were blocked by Cloud Web Security (CWS). Although this spike showed an increase in Angler related attacks, these attacks represent a small minority of the overall attack traffic. Based on our telemetry data we have seen domains associated with a single registrar being primarily responsible for the exploits being delivered. The approach appears to be rapid domain registration and exploitation with quick rotation of domains. Despite the rapid use of domains the IP’s associated with the attacks have been limited to two primary addresses (46.105.251.7 & 94.23.247.180). Below is a table illustrating domain names recently used by the group as well as several recently registered domains, that have yet to be seen. Most domains are registered one day, and then used for a short period of time beginning the following day. The majority of the domains are used for only 24 hours. Talos continues to see new domain registrations daily. A list of these domains compiled by Talos can be found here.
.

.

.

Indicators Of Compromise (IoCs)
Domain List (As of 1/23/2015)

IP Addresses:
46.105.251.7
94.23.247.180

SHA256:
1f6a4a3314b250e73a5649e2495ec131b27840d0948065f2a9c283a689a7b944

Conclusion
Exploit kits continue to be a threat on your network. Attackers are constantly updating the exploits used in their exploit kits in an attempt to gain access to more systems. Using techniques such as malvertising, these attacks can quickly be distributed to a wide audience. Identifying and stopping this evolving threat requires a layered security approach, which starts with applying security patches in a timely manner for third-party software, such as Flash.  Breaking any step in the attack chain will successfully prevent this attack. Therefore, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating the continuous threat imposed by exploit kits. SIDs: 29066, 31332, 33182, 33183, 33184, 33185 ,33186, 33187, 33188 Note: These SIDs represent the best information as of this post. Please refer to Defense Center or Snort.org for the most up-to-date signature information.

Protecting Users Against These Threats

image09

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. CWS or WSA web scanning prevents access to malicious websites, including the downloading of the malware downloaded   during these attacks. The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.