This past Tuesday, June 14, a vulnerability (CVE-2011-2110) in the Adobe Flash Player was patched. This vulnerability is actively being exploited in the wild - prior to the patch, the earliest exploitation that we have seen in our logs thus far, dates back to early last Thursday (June 9th).
Attackers have/are embedding redirects into compromised legitimate websites (including an Indian government site, a US airport site, and an aerospace site, among others). The redirects direct user's web-browsers to access the flash exploit - once the victim machine is exploited it downloads, decodes, and executes malcode.
Working with Steven from Shadowserver we were able to collectively share information to benefit the community and a public, detailed report was subsequently released on their website. Their report lists the sites/servers that we helped identify that have hosted the malicious content, as well as provides guidance for handling this threat. Among the recommended guidance:
- Patch! Flash Player older than 10.3.181.26 (or 10.3.181.24 for Android) is vulnerable. You can check your version here.
- Block the identified malicious servers/pages/binaries - this has already been done for customers using our cloud.
- Block/monitor for additional sites using the same attack pattern - this has already been done for customers using our cloud. Shadowserver released a Snort signature in their report to assist with identifying this pattern as well.
A special thanks to Steven from Shadowserver.