Websense® Security Labs™ researchers are aware of a vulnerability within Adobe Flash Player, CVE-2015-3113. Exploitation of the vulnerability leads to a buffer overflow which can be abused by a malware author to execute arbitrary code on the compromised machine. Adobe have deemed this vulnerability “critical”.
In the wild, exploitation of this vulnerability has been observed using our ThreatSeeker Intelligence Cloud.
Observed Behaviour In The Wild
Websense Security Labs have been tracking abuse of this 0-day in the wild since the start of June 2015. A typical threat lifecycle is followed from reconnaissance, lure, redirect, exploit, payload, call home.
Observed lure artefacts take the form of emails which contain a link to a website in the Ukrainian TLD space. The email subject hints at a "2015 Program Kick Off" and the body references a meeting for which the recipient is invited to click a link to "find out more".
Observed target industries include the engineering and science sectors.
Microsoft Windows 8 users of Google Chrome and Internet Explorer should be automatically updated.
Adobe have advised users of Internet Explorer for Windows 7 and below, as well as users of Firefox on Windows XP, that those platform combinations are known targets.
More information on the vulnerability and affected version is available in Adobe's Security Bulletin APSB15-14.
Websense customers are protected against this threat via real-time analytics within ACE, the Websense Advanced Classification Engine, at the following stages:
Stage 2 (lure) - ACE has protection for the initial lure emails
Stage 3 (redirect) - ACE has protection for the website used to direct end users to the payload
Further information on the 7 Stages of Advanced Attacks threat lifecycle model can be found here.
Adobe have released an update to various versions of Flash Player. Customers are encouraged to apply the latest version of Adobe Flash Player as soon as possible. The latest versions can be found here: https://get.adobe.com/flashplayer/
An alternative mitigation strategy would be to consider if disabling Flash Player is appropriate in your environment.
Websense Security Labs will continue to monitor this threat and will provide updates as appropriate.