Threat Research Blog

Flash Newsflash

The latest Adobe Flash attack, used by the popular hacker tool Angler is yet another reminder of the importance of securing users with web browsers. Today we make another announcement of a threat group using a relatively new exploit patched by Adobe two weeks ago (CVE-2015-3090). The time between exploit and widespread use is diminishing rapidly; the angler exploit kit is one of the most popular tools used today so it should not be unexpected that many more threat actors will be using this new exploit against unpatched systems in targeted organizations now.

The web browser continues to be a huge vector of attack. If we look at the number of zero day attacks focused on browser plugins since 2013, we find that Flash and Java make up 11 out of 28 zero days used by threat actors. In 2015, four out of six zero days have been Flash based. Also of note, since the end of 2013, Java-based attacks have dropped off significantly.

The lesson we can learn form this is that organizations face significant threats from un-patched Flash code runing on endpoints in their organization. Since it’s unfeasible to patch all devices quickly or turn off flash for many websites today, organizations need to be able to detect websites that are using/delivering exploit kits such as Angler to compromise devices and understanding what they do next.

More importantly, understanding the who (i.e., the tools, techniques and procedures) being used by an attacker to exploit, maintain persistence and understanding their long-term objectives should be a high priority. Organizations are overwhelmed by alerts from malware, crimeware & other threat actors - prioritizing who will help organizations prioritize and mitigate the high impacts threats more quickly.