Exploits of the latest Adobe Flash Player zero-day vulnerability highlight the threat to the enterprise of web-based exploit kits such as Angler, say security researchers.
The exploit, reported by security researcher Kafeine, affects the latest 18.104.22.1687 version of Flash Player and has been observed dropping a trojan downloader called Bedep.
There is a growing trend for kits to drop Java, Internet Explorer and PDF exploits in favour of the more successful Flash and Silverlight exploits, according to security firm Websense.
Using vulnerabilities in these popular applications offers attackers a large surface area of vulnerable clients, Websense security labs researchers noted in a blog post.
They recommend disabling Flash Payer in the browser until a security update is available from Adobe.
"Malware authors are bringing their proven formula into 2015," said Carl Leonard, principal security analyst at Websense. "What better way to establish a foothold in numerous organisations than by hitting businesses in their popular applications."
Adam Winn of security firm Opswat said that while the rise of yet another zero-day attack is unnerving, the "silver lining" is that a fully patched Windows 8.1 environment is not vulnerable.
"Users of Windows 8.1 can protect themselves simply by ensuring Windows automatic updates are enabled, and promptly rebooting their system when instructed to," he said.
According to Winn, these types of attacks will be increasingly common for Windows XP and soon Windows 7 as Microsoft stops releasing security updates.
More on zero-day exploits
- Google's Project Zero reveals another Windows zero-day vulnerability
- Google under fire over Windows zero-day disclosure
- Recent barrage of IE zero days highlights risk for enterprises
- Hacker black markets outbid IT companies in bidding for zero-day exploit disclosures
- New Cisco managed security services detects hackers and zero-day threats
- New approach blocks all zero-day malware, says Trusteer
Richard Cassidy, technical director for Europe at security firm Alert Logic, said web-based exploit kits like Angler pose a real and complex threat to businesses.
They are particularly challenging because they can operate attacks that use both file-based malware code that is downloaded and fileless malicious code that is executed in memory only and run as web applications designed to exploit vulnerabilities in browsers and browser plug-ins.
This means anyone in an organisation could unwittingly visit a compromised website that will silently use web applications or adverts hosted on the site to infect the target system or click on a malicious link in a carefully crafted email.
"Once infected, the exploit kit simply chooses which exploit to run based on its knowledge of your browser and exploitable plug-ins such as Flash, which in turn leads to a compromise of the system and loss of data, or unwanted activity," said Cassidy.
"The subject of exploit kits and their operation is a complex one from a security perspective for businesses," he added.
From an attacker perspective, Cassidy said exploit kits make the task of gaining access to a user's system through web-based exploitable vulnerabilities very easy indeed.
"Attackers do not need a great deal of technical expertise to effectively use them and can gain access to compromised systems in a very short period of time," he said.
Those looking to protect systems against the vulnerabilities exploited by these kits will find it far more difficult, said Cassidy.
Organisations need to ensure that their critical systems and applications are patched to the latest supplier levels, but even that is no guarantee of security.
"If exploit kits are still able to exploit bugs that have yet to be fixed or find zero-day exploits, the task of security compliance for businesses is made a great deal more difficult," said Cassidy.
He suggested that organisations implement web-based application security as a defence and that users should be reminded to consider any links contained in emails very carefully.
"Educating users to pay greater attention to the sites being visited and maintaining a level of trusted-only access will also go a long way in protecting against potential compromise," he said.
At a deeper level, Cassidy said that having network file, packet and log monitoring tools in place to detect unusual activity around the kill chain for intrusion would help provide a better level of protection against zero-day exploits.
Leonard advocates a similar approach to provide protection across all stages of the cyber kill chain, which is an incident response model developed by Lockheed Martin.
The model analyses cyber attacks in seven key stages to find ways to detect and disrupt each stage from reconnaissance through to collecting or exfiltrating data.
"Most importantly, data theft prevention is so important because it's the final stage, and the most dangerous. Left exposed, it opens the door to the bad guys and gives them access to the company's most valuable secrets," said Leonard.