It has been reported that the Angler Exploit Kit has started targeting a new vulnerability in Adobe's Flash Player and Richard Cassidy, technical director EMEA at Alert Logic writes:
“Web based exploit kits (such as Angler EK) pose a real and complex threat to businesses, given that they can operate on both file (malware code downloaded to target system disk) and fileless (malicious code executed in memory only) methods and are run as web-applications designed to exploit vulnerabilities in browsers and browser-plugins. Simply put you could visit a compromised website that will silently use web-applications hosted on those sites or adverts to infect the target system, or you could open an e-mail with an infected link, click on that link and be directed to the malicious website. Once infected, the exploit kit simply chooses which exploit to run based upon it’s knowledge of your browser and exploitable plugins (flash, java, adobe, etc.) which in turn leads to a compromise of the system and loss of data, or unwanted activity.
The subject of exploit kits and their operation is a complex one from a security perspective for businesses. From an attacker perspective exploit kits make the task of gaining access to a users system through web based exploitable vulnerabilities very easy indeed, you simply don’t need a great deal of security to technical expertise to effectively use them and can gain access to compromise systems in a very short period of time. For those looking to protect against the vulnerabilities exploited by these “exploit kits” the task can be a great deal more difficult. The main challenge is that software vendors need to ensure that their plugins or browsers exploits are fixed in version updates and that new patch releases don’t retain older exploits found in the software. Organisations can ensure that their critical systems and applications are patched to the latest vendor levels, but if exploit kits are still able to exploit bugs that have yet to be fixed or find Zero-Day exploits, the task of security compliance for businesses is made a great deal more difficult.
Organisations can implement web-based application security to help defend against such threats and users should continue to pay attention to any links open through e-mails or unsolicited communication. Furthermore educating users to pay greater attention to the sites being visited and maintaining a level of trusted only access will go a long way in protecting against potential compromise. At a deeper level having network file, packet and log monitoring tools in place to detect unusual activity around the kill chain for intrusion will help provide a better level of protection against zero-day exploits, however in the end we are bound to wait for the vendors to update their software versions more efficiently and perhaps take note (if not already done-so) of how these kits operate and look to implement them into their QA strategy for new patch version releases.”