A few hours ago, a security researcher, Kafeine, spotted an instance of the Angler Exploit Kit which is exploiting an unpatched vulnerability affecting Adobe Flash. It appears that any version of Internet Explorer or Firefox with any version of Windows can be owned if the latest version (16.0.0.287) of Adobe Flash is installed and enabled.
Victims of this type of attack are subject to being infected with several variants of malware that can lead to system instability as well as potential data breach and data destruction.
AlienVault Labs is investigating information we were able to obtain from different sources, including the research from Kafeine. We have confirmed that we have had Network Intrusion Detection signatures in Unified Security Management (USM) since last November that will detect the instance of Angler exploiting this vulnerability. As a result, the following alarm will fire when instances of the Angler Exploit Kit are detected:
• Exploit & Installation, Malicious Website – Exploit Kit, Angler EK
Note, this exploit will not affect USM – it only affects Windows systems. Regarding detection of the exploit, USM detects the framework to deliver the exploit (Angler Exploit Kit), which ensures that we detect the malicious activity regardless of the vulnerability being exploited. This detection technique helps minimize the evasion effect of 0day attacks. Trend Micro subsequently found a new infection chain applicable to the Angler Exploit Kit, but, as mentioned above, USM will also detect and alarm on this by detecting the framework itself.
Despite detection provided by USM, we recommend disabling the Adobe Flash Plugin until a patch is released.
References:
http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
http://blog.trendmicro.com/trendlabs-security-intelligence/flash-greets-2015-with-new-zero-day/
http://windows.microsoft.com/en-us/internet-explorer/manage-add-ons#ie=ie-11
