Hacking Team 0-day Flash Wave with Exploit Kits


After Hacking Team was compromised, a lot of information were publicly disclosed beginning 5th of July, particularly its business clients and a zero-day vulnerability for the Adobe Flash Player that they have been using.

Since the info about the first zero-day was made freely available, we knew attackers would swiftly move into using it. As expected, the flash exploit was integrated into exploit kits such as Angler, Magnitude, Nuclear, Neutrino, Rig, and HanJuan as reported by Kafeine.

Based on our telemetry, there was a rise in Flash exploits beginning 6th and continued until 9th.

overall_stats (11k image)

Here are the stats for each exploit kit:

ek_stats (27k image)

The security advisory for CVE-2015-5119 zero-day was released on 7th July and the patch was made available on 8th. So the hits started to decline about two days after the patch.

But just when people have started updating their systems, there was yet another spike from the Angler flash exploit hits:

weekend_wave_stats (22k image)

Apparently, two more flash vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were discovered. These vulnerabilities are still waiting to be patched. According to Kafeine, one of the two vulnerabilities were added into the Angler exploit kit.

As a side note related to Angler exploit kit, if you noticed in the second chart above, Angler and HanJuan share the same statistics. This was due to the fact that our detections for Angler Flash exploits were also hitting on HanJuan Flash exploits.

We have verified this after discovering that there was a different URL pattern being detected by Angler:

angler_vs_hanjuan_urlpattern (9k image)

We looked at the flash exploit used by both kits, and the two are very much identical.

Angler Flash Exploit:

anglerek_ht0d_3 (26k image)

HanJuan Flash Exploit:

hanjuanek_ht0d_3 (23k image)

There were already speculations that there seem to be strong connections between the actors behind the two exploits kits. For example, both have used “fileless” delivery of payload and even similar encryption methods. Perhaps at some point we will see HanJuan supporting this new flash 0 day as well.

In the meantime, since there hasn’t been a patch out yet for these new ones, our users remain protected from the effects of the exploit kits through Browsing Protection as well as these detections:


UPDATE: Adobe has released patches for the recent two vulnerabilities: CVE-2015-5122 and CVE-2015-5123. Users are recommended to update to the latest version of Adobe Flash Player.

On 13/07/15 At 12:29 PM

New Home: labsblog.f-secure.com


This blog – News from the Lab – was started 4,232 days ago to monitor the Mydoom worm's DDoS attack on sco.com.

A bit more than 11 years and two months… and we're now moving this blog to a new home.



If you follow News from the Lab via an RSS feed, point your reader of choice here. (We'll setup a 301 redirect in the near future.)

You can also "follow" us via Twitter at @FSLabs. We'll Tweet links to post, and other things, there.

So, what happens to the content at f-secure.com/weblog? For now, it stays right here. You'll find the archives here and you can search it with Bing. Why Bing? Because Google started censoring largely stopped indexing this blog back in October 2012. Something about our old-school approach with a full RSS feed clashed with Google's "Penguin" algorithm. (So much for organizing the world's information.) Bottom line, you don't have a right to be remembered by a search engine if it doesn't further its business interests. To be fair, Google had a big problem fighting against content farmers at the time, and we just got caught in the middle. Content farmers can take our full feed and republish it at will. And so out went the baby with the bathwater.

More about that in the future, perhaps.

Final thought: how has this blog remained secure when it's been running a platform version originally released on Jul 4, 2007? Simple. The platform has never been "on" the web! This Greymatter blog runs on an internal server, and we use a script to copy the content to a web-based folder. So what you are reading right now is only a copy.

Now it's time to try something different. We look forward to seeing you there.


On 01/09/15 At 10:35 AM