In mid-May, Symantec observed a gradual uptick in attacks exploiting the Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515), and we continued to monitor this trend. Symantec’s research now indicates that the attacks are being performed on a massive scale and that majority of them are focused on Japan.
Back in April, CVE-2014-0515 was originally being exploited in watering-hole attacks against specific organizations or industries. Later in the same month, Adobe released a patch for the vulnerability. However, just a few weeks later Symantec telemetry indicated that instead of the initial targets, the exploit was now being used to target a wider range of Internet users.
Figure 1. Attackers using the Adobe exploit mostly targeting Japan
As seen in Figure 1, more than 90 percent of the attacks exploiting the vulnerability are targeting Japanese users. The attacks are typically carried out through drive-by-download and leverage compromised legitimate websites to host malicious code. The websites then redirect traffic to a malicious site prepared by the attacker.
The following websites were compromised to trigger attacks in Japan:
- his-j.com (travel agency)
- jugem.jp (blog service)
- pandora.tv (video sharing service)
In addition to the above websites, blog sites that use the JUGEM rental service are also affected.
Once the browsers are redirected to the malicious site, which has the IP address 126.96.36.199, they render the exploit code that attempts to exploit CVE-2014-0515. If an older version of the software is installed on the computer, the attack will execute a series of malicious files to compromise the computer with the malware Infostealer.Bankeiya.B, which steals banking information from users.
Figure 2. Daily number of attacks on Japanese users
Figure 3. Cumulative number of attacks on Japanese users
Infostealer.Bankeiya.B monitors the Web browsers Google Chrome, Mozilla Firefox and Microsoft Internet Explorer. The Trojan gathers specific user data typically found in online banking transactions.
The malware can also update itself, enabling it to target more banks and add more capabilities in order to perform additional malicious actions.
Since the Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515) is used heavily in the wild, Symantec advises users to update Adobe Flash to the latest version. It is important to patch not only the operating system and applications installed on computers, but also any plug-ins used by browsers.
Symantec customers are protected against this attack with the following detections: