News
US-CERT Warns of Continuous Exposure to Zero-Day Phishing Campaigns
August 2015 by Dan Ingevaldson, CTO
On August 1st, US-CERT published an advisory titled, "*TA15-213A: Recent
Email Phishing Campaigns - Mitigation and Response Recommendations". *One
of the vulnerabilities leveraged in these new phishing campaigns is a
use-after-free (UAF) vulnerability in Adobe Flash (*CVE-2015-5119*). This
vulnerability is particularly interesting because it was leaked as a result
of the hack and subsequent dump of HackingTeam’s email and source code.
What is interesting here is not the existence of the vulnerability, but how
this case underlines the massively asymmetric situation that defenders find
themselves in.
The HackingTeam exploit was already "weaponized", in that it was fully
productized, tested and documented. There is a big difference between
normal proof-of-concept exploit code and fully weaponized exploit
code—probably on the order of many man-weeks to ensure stability across
multiple OSs, browsers, evasions and crash-free execution. HackingTeam was
hacked on July 5th, the exploit was "found" in the published archive on
July 7th, and immediately added to hacking kits like Angler and Nuclear.
This 48 hour integration window from disclosure to exploitation is short
and relatively unique because weaponized code doesn’t make it into the wild
that often, but it highlights how challenging defense can be when under the
threat of a seemingly endless supply of client-side zero-day exploits.
Phishing attacks remain the most obvious and effective vector for
exploitation of these vulnerabilities. However, some classes of these
vulnerabilities are completely preventable in 2015. Flash itself has been
under assault by the security community for years, due to its unique
ability to be both permanently vulnerable to attack, grant attackers
elevated privilege, and still be considered fairly ubiquitous. Several
prominent security professionals and researchers have called for the public
execution of Flash and its permanent removal from all web browsers. As
proven by Apple after the initial release of the iPhone, it is possible to
use the Web without Flash and Flash’s popularity has steadily been on the
decline.
It is still nearly impossible to prevent exploitation by zero-day attacks
via email. But it is much more realistic to stop the higher probability of
successful attacks in the period immediately after disclosure, when exploit
code is in the wild and patches have not yet been deployed—in this case,
the time immediately after July 5th.
As a defender, ask yourself, do you need to accept zip or archived
attachments from the outside? What about encrypted/password-protected
archives? It is 2015 and there are much better solutions to send and
receive files other than email attachments. Have you deployed DMARC
validation on inbound email to decrease the likelihood of spoofed emails
that contain malware? Do your users absolutely require Flash? If so, should
you accelerate your efforts to stop your reliance on Flash and other
browser plugins.
Easy Solutions does business primarily with financial services
organizations around the world. Many if not most of them simply block
inbound email attachments or use layers of rules to ensure that the many
email-based attack vectors are closed from the outside. They are still able
to function quite well with the added benefit of not being a sitting duck
for the next zero-day seeded phishing campaign.
