The latest Flash zero-day was used to spread Cerber ransomware

The latest zero-day vulnerability in Adobe Systems’ Flash player has been used over the last two weeks to distribute ransomware called Cerber, email security vendor Proofpoint said.

Adobe said it would patch the flaw, CVE-2016-1019, on Thursday. The vulnerability affects all versions of Flash Player on Windows, Mac, Linux and Chrome OS.

Ryan Kalember, senior vice president of cybersecurity at Proofpoint, said his company detected an attack trying to exploit the flaw on Saturday.

One of Proofpoint’s customers received an email with a document that contained a malicious macro that led victims through a series of redirects that eventually reached an exploit kit.

Exploit kits are software packages planted on domains that hunt for software vulnerabilities on a computer in order to deliver malware. If a victim lands on a page and has a software flaw in Flash, for example, the malware is quietly installed.

The exploit kits using the zero-day Flash vulnerability are known as Magnitude and Nuclear Pack, Kalember said. It’s believed just one cybercriminal group is behind Magnitude.

“They’ve been doing ransomware for some time,” he said. “They were doing Cryptowall for a while, then they moved to Teslacrypt and now they’re on Cerber.”

Proofpoint was surprised to see a zero-day vulnerability used to distribute ransomware.

Zero days vulnerabilities are flaws that are actively being used in attacks and are unpatched by a vendor. Such vulnerabilities have a high price in underground markets since it is almost guaranteed that a victim will be compromised.

“The very fact it is being used in ransomware is indicative of just how far ransomware has come since it’s clearly profitable enough to use a very, very interesting vulnerability and exploit rather than selling to the highest bidder,” Kalember said.

The attackers, however, took an interesting step that was perhaps intended to delay security researchers.

Kalember said the Flash exploit was engineered to only infect Flash Player versions 20.0.0.306 and earlier. 

That conflicts with Adobe’s version of events. In its advisory on Tuesday, Adobe said a mitigation introduced in Flash Player version 21.0.0.182 prevents exploitation of the vulnerability.

Kalember said the vulnerability actually affects all versions of Flash. The attackers, he said, just engineered the exploit so that it only targeted older versions of Flash, a technique known as degradation.

“It’s not Adobe that has mitigated that,” he said. “It’s the malware authors themselves.”

Other exploit kits including Angler have also degraded some of their attacks, Kalember said.

Cerber is a relatively new type of ransomware that emerged in the last month. Curiously, it will not infect computers that are in Russia or ex-Soviet countries, Kalember said.

Ransomware has become one of the most acute problems on the Internet. The malware encrypts most files on a victim’s computer. The decryption keys are only obtainable by paying a ransom, which is usually requested in bitcoin.

The story has been corrected to fix a timing error in the first paragraph and adds new information in the sixth paragraph.