Fiesta(CVE-2014-0569)

Cyber-criminals quickly adopt critical Flash Player vulnerability

Keeping your computer up-to-date is probably one of the best pieces of advice one can give when it comes to online security.

Perhaps it should also be emphasized that patches ought to be applied in a timely fashion.

Case in point, less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569) was patched and made public:

CVE

The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world.

Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys.

You can imagine how surprised Kafeine was when he stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one week after the official security bulletin had been published!

Although this is not a zero day, one can imagine that there was a strong and urgent interest in exploiting this vulnerability in the wild.

That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications.

In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:

Fiesta(CVE-2014-0569)

The server sends down the exploit landing page quickly followed by the new Flash exploit which is successfully blocked by Anti-Exploit.

We also observed another Flash exploit (we are not sure about which CVE is targeted yet, only that is was patched a week ago also) in the Angler EK:

Angler(CVE-2014-0569)

It is crucial to patch any system running outdated Flash Player versions as soon as possible!

You can check the version you are running (make sure to do this in all the browsers you use) by going here.

To download the latest version click here (don’t forget to uncheck the pre-selected options to download toolbars or other Potentially Unwanted Programs AKA PUPs):

Browsing the Net on an unpatched computer is like playing the Russian roulette with a handful of loaded guns: “do you feel lucky?”.

Payloads

The first payload you get hit with is the infamous fileless malware also known as Bedep which enrolls you inside of a botnet:

Botnet

Malwarebytes Anti-Malware detects the initial payload as Trojan.FakeMS.ED.

As they say, the rest is history, with more malware being downloaded and yet another machine ready to send out spam once it has been pick pocketed.

The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches sooner rather than later.

Many thanks go to Kafeine for providing additional data on CVE-2014-0569. Feel free to read his original post here.

@jeromesegura

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher