Cyber-criminals have added a recently patched Flash Player zero-day vulnerability to the notorious Magnitude exploit kit, significantly raising the risk of users being targeted with attacks making use of the flaw.
Independent malware researcher ‘Kafeine’ revealed the news in a blog post over the weekend, claiming that the vulnerability was being exploited to drop the infamous CryptoWall ransomware onto victim machines.
CVE-2015-3113, a flaw in the way Flash Player parses Flash video files, was patched by Adobe last week in an out-of-band security update after researchers spotted it being exploited in the wild in targeted attacks.
FireEye claimed that it was being used in a large scale phishing campaign aimed at high tech, telecoms, transportation, construction, and aerospace and defense firms.
The security vendor has attributed the attacks to Chinese group APT3, which it says has a history of introducing new browser-based exploits against commonly targeted software including Flash and Internet Explorer.
The group came to prominence in April last year when FireEye revealed its existence in the Operation Clandestine Fox report, which details a sophisticated targeted attack group capable of evolving its tools and techniques to evade detection.
Similarly, those behind the Magnitude exploit kit are forever enhancing it with new features and functionality. Just a week ago, they added another patched Adobe Flash vulnerability, CVE-2015-03105, to drop CryptoWall 3.0 onto victims’ machines.
According to a report from Trustwave last year, Magnitude had 31% of the exploit kit market and was poised to overtake Blackhole as the leading EK on the underground market.
It claimed that the kit generates a weekly income of $60,000 and has already affected hundreds of thousands of users in over 50 countries worldwide.
The news should be a reminder to individual users and sysadmins to keep up-to-date with the latest patches for operating systems and key software like Internet Explorer and Adobe Flash.
Nearly 6% of programs on the average UK computer have already reached end-of-life and are no longer supported – led by Adobe Flash Player 16.x, which is still installed on 81% of machines, according to the latest Secunia PSI Country Report.