On February 20th 2014, Symantec published a blog on a new zero-day vulnerability in Adobe Flash (CVE-2014-0502) being exploited in the wild. Adobe has released security updates for Adobe Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh and Adobe Flash Player 188.8.131.526 and earlier versions for Linux in Adobe Security Bulletin APSB14-07. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
This Adobe Flash zero-day, Adobe Flash Player and AIR CVE-2014-0502 Remote Code Execution Vulnerability (CVE-2014-0502), is being used in a watering hole attack. This new attack has been dubbed “Operation GreedyWonk” in various media and is reported to be targeting the websites of three non-profit institutions. Symantec telemetry shows even more sites being targeted in this watering hole attack using this new zero-day.
This attack technique is known as a watering hole attack. In this case the target visits a compromised website that contains an Iframe inserted by the attackers in order to redirect the target to another website (giftserv.hopto.org). This new site loads a malicious index.php file (Trojan.Malscript) which checks whether the victim is running a 32-bit or 64-bit system. Depending on the results, a malicious index.html file (also Trojan.Malscript) and additional components are also downloaded from either the 32-bit or 64-bit folders hosted on the attacker’s server. The malicious index.html file then loads the cc.swf Adobe Flash file (Trojan.Swifi) containing the zero-day. Once exploited, a logo.gif image file is downloaded containing encrypted shell code which downloads and executes the malicious server.exe (Backdoor.Jolob) payload.
Figure 1: Watering Hole attack using Adobe Flash 0-Day
FireEye said visitors to the Peter G. Peterson Institute for International Economics (www.piie[.]com) were redirected to an exploit server hosting this Flash zero-day through a hidden iframe. FireEye also said the American Research Center in Egypt (www.arce[.]org) and the Smith Richardson Foundation (www.srf[.]org) also redirected visitors the exploit server.
It is believed that this campaign may be related to a May 2012 campaign based on some consistent patterns, and that the group behind this intends to infect visitors to foreign and public policy websites.
- An attacker who successfully exploited this vulnerability could gain the same rights as the currently logged on user.
- Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.
- Windows 7 and Java 1.6
- Windows 7 and out of date versions of Office 2007 and 2010.
- Windows XP
- Adobe Flash Player in Internet Explorer 10
- Adobe Flash Player in Internet Explorer 11
SOC DETECTION CAPABILITIES:
- [MSS URL Detection] CVE 2014-0502 Adobe zero day possible C&C traffic
- Symantec AV:
- Trojan Horse
- Symantec IPS:
- Web Attack: Malicious SWF Download 22
Adobe Flash Player users who are concerned about this vulnerability can follow these mitigation steps:
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
- Upgrade from Windows XP, upgrade Java from 1.6 to 1.7, and upgrade Microsoft Office to the latest version if running 2007 or 2010.
- Do not use 184.108.40.206 and earlier versions for Windows and Macintosh and Adobe Flash Player 220.127.116.116 and earlier versions for Linux, upgrade to the newest version of Adobe Flash Player.
- Deploy the Enhanced Mitigation Experience Toolkit (EMET).
- Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
- Run all software as a non-privileged user with minimal access rights.
- To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
- Do not follow links or open email attachments provided by unknown or untrusted sources.
- Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
- Symantec Security Response: New Flash Zero-Day Linked to Yet More Watering Hole Attacks
- Adobe Security Bulletin
- Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit
- Microsoft Security Advisory (2755801)
We thank you again for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
Global Client Services Team
Symantec Managed Security Services