News
Flash zero-day exploit deployed by the ScarCruft APT Group - expert comments
June 2016 by
According to a recent Kaspersky blog, attacks on organisations are being launched by an APT group named ScarCruft, using a zero-day Flash exploit. ScarCruft is a relatively new APT group and victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations, utilising multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer. Dubbed Operation Daybreak, the attack appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails.
David Gibson, VP of strategy and market development at Varonis
“Over the last decade, many have replaced Flash with newer technology (HTML5, for example). We only see critical legacy web applications keeping Flash active in a production environment.
If Flash is still required in your environment, you really need to ask yourself, “why?” If you need to keep it, acknowledge the risk, make plans to fix or compensate, and take steps to minimise the potential damage. Restricting user access and getting to a least privilege model is a good idea regardless of whether you have a flash problem – locking down access forces attackers to work harder to find the data they are trying to steal.
The key to sustainable security is to prioritise detection. Instead of focusing all efforts keeping the attackers out, make sure you can spot when they get in – user behaviour analytics technologies that watch how users access the data you’re trying to protect can make a big difference.”
Jamie Moles, principal sales engineer at Lastline
“Vulnerabilities in Flash are nothing new and despite Adobe’s best efforts to patch holes as they are discovered the platform is inherently broken - this is technology first developed in the 1990’s for fast graphics production and security was clearly an afterthought in its development.
The primary reasons for Flash’s widespread use even today is its adoption by YouTube 10+ years ago, combined with its platform independence - it works in pretty much any browser on almost all platforms and renders consistently across platforms which can drastically reduce the development time for content providers on Browser based and mobile platforms.
Modern platforms such as twitch.tv and Google Ads still use Flash extensively but there is a push to move to HTML5 which is considered to be more secure – Google will be refusing to accept ads made with Flash from January 2017, Chrome and Firefox block Flash as a default. Industry acceptance and rollout of HTML5 could very likely push Adobe to announce Flash End-of-life sometime in 2017.
If organisations are unable to move away from Flash in the short term, there are a few steps they can take to protect themselves, including staying on top of their patching regime – set Adobe Flash to auto update in particular, install Microsoft Enhanced Mitigation Experience Toolkit which is known to be effective at mitigating this latest attack. These defences however require configuration and maintenance on the endpoint and can become onerous for organisations that don’t have the time and resources to keep up with developing threats. A more effective solution is to implement an effective Breach Detection solution to prevent malicious software that might seek to leverage Flash zero days from entering the organisation – these technologies work at the Infrastructure level to detect and prevent threats in Web traffic and Email before they get to the user/endpoint and become an issue.
APT class threats are not going to go away any time soon as attackers are constantly working to crack the latest and greatest offerings from the most popular software vendors – but steps can and should be taken by all diligent organizations to protect themselves.”
Mark James, security specialist at ESET:
“As with a lot of the threats we see around today the end user usually is directed somewhere dubious or tricked into downloading the malicious file and then executing it. Protecting yourself against Flash and indeed many other exploits can be as simple as multi layering your defences, ensuring your operating system and applications are up to date and updating regularly is very important along with taking some precautions against auto running files. Blocking scripts and attachments is a good start and will at least give you the control on deciding what is and is not going to be executed, browser plugins are easy to find and install with nearly all common browsers today that can automatically stop attachments like .swf from being run along with many others.
If you absolutely have to have Flash installed then enabling Click-to-Play will definitely help you from running something malicious, whenever you visit a website that uses flash you have to manually choose if you want to run that content instead of it running automatically, this will protect you from drive-by attacks that could infect you simply by visiting that page.
Making sure your internet security product is on the latest version and getting its regular updates is crucial in keeping you safe when dealing with emails and the modern day internet, with so many possible attack vectors it’s almost impossible for the average user to know 100% what is good and bad so any and all help should be embraced and installed as quickly as possible.”
Javvad Malik, security advocate at AlienVault:
“Flash has been the perennial thorn in the side of security for many years. It’s widespread and continually suffers from major security flaws.
Whilst disabling Flash would be the first answer, for many organisations, particularly large ones, conducting a software refresh or migrating dependent applications off Flash require a lot of effort. And most of these organisations have other priorities, like trying to migrate away from windows XP.
To tackle an issue like Flash, or other similar software requires a 4 step approach:
1. Creation
The first step is for product vendors and software developers to employ rigorous security controls in order to ensure products are created in a secure manner as possible.
2. Deployment & assurance
If products like Flash can’t be completely removed. Then the ability to auto-execute or auto-run should be disabled. Enterprises should also seek to attain assurance that the software is running as it should do. This can be achieved through code reviews, penetration testing, and also continually monitoring the state of IT.
3. User awareness
Continual user awareness is needed to serve as a constant reminder of the dangers that exist through clicking on malicious links, plugging in unknown devices etc.
4. Threat sharing
Many companies conduct and gather threat data. It’s important to share the information in a timely manner to allow defences to be tuned prior to an attack. This is particularly important where an APT like ScarCruft is using the zero-day sparingly, against specifically selected targets. An approach that can allow it to operate for longer periods undetected. AlienVault OTX is the perfect platform to allow rapid and wide threat-sharing.
The AlienVault pulse, https://otx.alienvault.com/pulse/5763b62af15dc60134d2534a/ contains the relevant information and downloadable indicators of compromise (IOCs) relating to this ScarCruft campaign.
Code to embed the pulse in a blog is below:
”
