Adobe and Windows Zero-day Exploits in the Wild

The recent news of two new zero-day exploits for Windows and Adobe users was disconcerting for many.  The Windows bug is being exploited in the wild, which users should install fixes as soon as possible.  Cataloged as CVE-2016-0189, the exploit allows attackers to execute malicious code when vulnerable computers visit booby-trapped websites.  According to ARS Technica and Symantec, many of the targeted attacks have been aimed at South Korean websites.  The vulnerability exists in the Jscript and VBScript engines and is exploited using Internet Explorer.  According to Symantec, the exploit may have been delivered through a link included in a spear-phishing email, or a compromised, legitimate website that redirected users to the exploit.  The landing page contained JavaScript code that profiled the computer belonging to the user visiting the site.  South Korea was severely impacted by this zero-day attack, which is heavily reliant on Internet Explorer.  Attackers target South Korean organizations often to gain remote access to South Korean organization computers, steal sensitive data, or even wipe hard drives. The Adobe bug was recently identified in a Flash vulnerability that gives attackers the ability to remotely hijack machines and is currently being exploited in the wild.  FireEye first reported the vulnerability on May 10.  The vulnerability affects Windows, Mac, Linux, and Chrome OS.  The CVE number is CVE-2016-4117.

In addition to these two zero-day exploits, over 100 organizations in North America last month fell victim to a tailored spear-phishing campaign aimed at the retail, restaurant, and hospitality industry.  The campaign would send emails that contained variations of Microsoft Word documents with embedded macros.  If enabled, the macros would then download and execute a malicious downloader called PUNCHBUGGY.  PUNCHBUGGY is a DLL that can interact with compromised systems and move laterally across the environment.  In addition, PUNCHBUGGY could take advantage of a previously unknown elevation of privileges (EoP) exploit and a point of sale memory scrapping tool dubbed PUNCHTRACK by FireEye.  According to FireEye, in some victim environments, “the threat actor exploited a previously unknown elevation of privilege (EoP) vulnerability in Microsoft Windows to selectively gain SYSTEM privileges on a limited number of compromised machines.”

Microsoft and Adobe have both released patches for all vulnerabilities: CVE-2016-0168, CVE-2016-0167, and CVE-2016-4117.  If you haven’t downloaded and installed the recent fixes, please do so as soon as possible.

CyberSheath can help protect your assets.  Contact us to learn more about our throughout information security assessments and other security-related program development.