Adobe Flash Exploit Delivering Cryptowall Ransomware

Last week, a zero-day vulnerability in Adobe Flash Player was patched. Users of the multimedia player can now run the software safely, without facing a risk of having their devices compromised by a new Adobe Flash exploit. Provided the patch has been installed.

Adobe Flash exploit being used to drop ransomware on unpatched devices

Any computer with Flash set to run automatically is at risk if the latest version of the software – Version 18.0.0.194 – has not been installed. Since the latest version of the software was released on June 23, the Adobe Flash exploit has been found in the wild. Hackers are using the Magnitude exploit kit to drop Cryptowall ransomware on unpatched computers. It took only four days since the release of the Adobe patch for an exploit to be packed into Magnitude.

The latest version of Flash Player has been released to deal with the vulnerability known as CVE-2015-3133. This vulnerability allows hackers to remotely execute code to take advantage of a bug in the software. The Adobe Flash exploit is being used to automatically drop ransomware on unpatched devices.

The vulnerability is also being exploited by at least one hacking group. APT3, a hacking group based in China, has already devised a phishing email campaign to take advantage of the Flash vulnerability. The vulnerability has been known since the start of June, and hackers were quick to exploit it. It took Adobe three weeks to develop the patch, during which time all users of the software – which is most people using the Windows operating systems – have been at risk of attack.

When computers are infected, APT3 is moving infections laterally to compromise multiple hosts. Furthermore, backdoors are being installed so that even when the malware is identified and removed, access to networks is still possible.

APT3 is well known for exploiting zero-day vulnerabilities and is using the current phishing campaign to target companies in specific industry sectors. Their current targets are in the aerospace, construction, defense, engineering, and the telecommunications industries.

There is a serious risk of malware infection from phishing emails, malicious website adverts, and malicious links on social media websites. Those links send traffic to websites containing the Magnitude exploit kit. If anyone visits a website hosting the exploit kit, ransomware and other malware can be installed automatically if the latest version of Adobe Flash Player has not been installed.

Attackers are targeting users of Windows 7 (and below) via Internet Explorer and users of Firefox on computers running on Windows XP.

Fortunately, installation of the latest version of the software will prevent the Adobe Flash exploit from being used to drop Cryptowall malware. The current version of the malware, Cryptowall 3.0, requires infected users to pay a ransom of $300 to unencrypt files. System administrators have spent the past week ensuring all devices are updated with the latest version of the software.

Are you at risk from the Adobe Flash exploit? Have you managed to install v18.0.0.194 on all your networked computers?

Best Firewall Security Zone Segmentation Setup

Regardless of the size of your company, or what type of TCP/IP setup you have, a hardware firewall is essential. It is one of the most fundamental network security elements. It provides basic protection and is capable of preventing many attacks on your network from being successful. It is therefore essential that you have the best firewall security zone segmentation setup.

What is the best firewall security zone segmentation setup?

Today, networks typically extend outside of the firewall perimeter, but that said, they do tend to have a well-defined structure. Your network should therefore have:

  • An internal network zone
  • An untrusted external network
  • One or more intermediate security zones

Each of your intermediate security zones – commonly Layer3 network subnets with multiple workstations and/or servers – should contain systems which can be protected in a similar fashion. They are groups of servers that have similar requirements. They can be protected with a firewall on the application level, or more typically, on the Port and IP level.

Perimeter firewall security zone segmentation

Unfortunately, the perimeter network topology that is best for you may differ considerably from the one that you used for your previous company. Your current network will naturally be different and have its own requirements and different functions. Your perimeter security zone segmentation will have to therefore be set up to match the unique needs of your business. That said, there are a number of best practices to follow when devising your network perimeter.

To help explain a typical network perimeter, we have illustrated this in the diagram below. Your network may differ, but the illustration shows a typical setup used by many enterprises. You may use two firewalls, or only have one DMZ (Demilitarized) zone. The red arrows show the traffic direction permitted by the firewall

perimiter_security2

Security zone segmentation: Setting up your DMZ (Demilitarized Zones)

Your equipment and sections of your network that will be most susceptible to attack will be the parts that face the public and are connected to the internet. These will include your web servers, email servers, and DNS for example. If an attack on your network is attempted, this is where it is most likely to occur. It is therefore important to be able to minimize the potential for damage if one of those attacks is successful and one or more of your servers is compromised.

To do this, it is important to set up a DMZ or Demilitarized zone. A DMZ is basically a Layer3 subnet that is isolated. In our example we have included two, as this set up offers the best protection for our internal zone. In your case one may be appropriate or three or four, depending on the size of your network, number of servers etc.

DMZ1

You are going to have to have at least one public facing server that is accessible via the Internet. Traffic flow must be restricted for security, so it should only be possible for traffic to go from the Internet to your DMZ1. It is also essential that you only have the necessary TCP/UDP ports open. All other must be closed. Your DMZ1 should host your DNS, Proxy server, Email server, and web server.

DMZ2

For the best protection, you should never have your databases located on the same hardware as your web server. Database are likely to need to be accessed via your web server, but they should be set up in a different DMZ. In this example, we have set up DMZ2 where we have placed the application servers and database servers. You can see from the red traffic arrows that these servers can be accessed directly from the internal zone, and also from DMZ1. They can therefore be accessed from the Internet, but only indirectly via DMZ1.

It is also important to have your web application server and a front end web server located in different DMZs.

Using the above setup, if one server is compromised, say one of your application servers in DMZ2 via DMZ1, the attacker will not be able to access to your internal zone.

You should configure your firewall to allow traffic between both of your DMZs, but only on specific ports. Traffic between your internal zone and your DMZ2 is possible, but this should be limited.  Traffic may be necessary for performing data backups for instance or for accessing an internal management server for example.

Your internal security zone

Located in the internal security zone will be your end user workstations, your file servers, and other critical internal servers. You will also have internal databases located in the internal zone, Active Directory servers, and many business applications.

It is essential that there is no direct access from the Internet to your internal security zone. Any user requiring Internet access must not be permitted to access the Internet directly. Internet access must only be possible via a proxy server, which should be located in DMZ1.

It is essential to have security zone segmentation, although the setup you choose must reflect your business requirements. Our example of a typical security zone segmentation setup is ideal for the enterprise environment. Use this and it should ensure you have solid network security.