The speed with which attackers are weaponizing zero-day vulnerabilities in the wild has been essentially cut in half.
New research at Black Hat 2015 from Malwarebytes Labs shows that after Hacking Team, an Italian security company specializing in offensive technology, was compromised, their trove of zero days was leaked to the Internet, including several for Adobe’s Flash Player. The zero days were previously unknown, but were accompanied by clear and concise instructions to deploy them. As a consequence, exploit kit makers integrated it into their digital weapons in record time.
The window of exposure for the Flash flaws researched by Malwarebytes was July 6 to July 8, 2015, with exploits carrying various payloads: The Neutrino EK drops a proxy Trojan; the Angler EK drops a password stealer; Nuclear Pack EK drops crypto ransomware; Magnitude EK drops crypto ransomware; and the HanJuan EK drops ad fraud.
“This zero-day campaign is notable for the speed demonstrated by exploit kit makers in integrating the exploit into their platforms,” said Malwarebytes researcher Jean Taggart. “This was further facilitated by the helpful readme files provided by Hacking Team, which clearly explained how to deploy the vulnerability.”
Two days after the zero-day leak, a Metasploit module was added too: CVE-2015-5119 was integrated in the Metasploit framework, the open-source component of the most popular computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
On July 8, Adobe pushed an emergency update addressing the vulnerabilities, effectively making all downstream EK integration non-zero day.
“The cybercriminals who develop exploit kits are always on the lookout for additional vulnerabilities to add to their arsenal,” Taggart noted. “Their selection of vulnerabilities directly affects their businesses, their popularity, as well as the prices they can charge malware authors who use their services as a vehicle for delivery. All of this hinges on successful infections, and using zero days yields the highest infection rates possible.”
While this incident is unique, as zero-day exploits are seldom available at no cost and accompanied with a detailed crib sheet explaining how to deploy them, it nonetheless shows the need for a layered defense that includes addressing the challenges that zero days bring to the table.