Security Alert: RIG EK Exploits Outdated Popular Apps, Spreads Cerber Ransomware

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Cybersecurity experts obsessively repeat two types of advice:

  1. Use stronger passwords.
  2. Update your software.

Today’s security alert is all about the importance of applying software updates as soon as they’re released.

At the moment, cybercriminals are using a swarm of malicious domains to launch drive-by attacks against unsuspecting users.

The campaign works by injecting malicious scripts into insecure or compromised systems. Victims can get infected simply by browsing the compromised or infected websites, without clicking on anything. What exposes them to this attack are outdated versions of the following apps: Flash Player, Silverlight, Internet Explorer or Edge.

This is the short version of how it happens:

How Rig Exploit Kit Works

A total of 8 vulnerabilities scattered over several product versions might cause serious trouble for many users. That’s because RIG exploit kit will detect these unpatched vulnerabilities and then download Cerber ransomware by taking advantage of them.

Antivirus detection for this malicious campaign is low, as you’ll see in the details below.

Vulnerabilities exploited in the attack

The following apps – which you may also be using – can expose your system to a costly ransomware attack.

Affected software: Adobe Air, Adobe Air Sdk, Air Sdk Compiler, Adobe Flash Player
Vulnerability: CVE-2015-8651; can Execute Code, Overflow
CVSS Score: 9.1
This vulnerability includes 11 security holes in 4 products (see CVE link for details).
Patched on December 28, 2015.

Affected software: Adobe Flash Player, 99 vulnerable versions, see CVE link below for details.
Vulnerability: CVE-2015-5122; can cause Denial of Service, Execute Code, Memory corruption
CVSS Score: 10
Patched on July 10, 2015.

Affected software: Adobe Flash Player version
Vulnerability: CVE-2016-4117; can Execute Code
CVSS Score: 10
Patched on May 12, 2016.

Affected software: Adobe Flash Player, 14 vulnerable versions, see CVE link below for details.
Vulnerability: CVE-2016-1019; can cause Denial of Service, Execute Code
CVSS Score: 10
Patched on April 5, 2016.

USEFUL TIP: If you need a quick way to check what Flash version your system is running, go to this link provided by Adobe and find out. Flash is a notorious source of vulnerabilities for its users, so reading this guide we put together may help you understand why and what you can do about it.

Affected software: Microsoft Edge
Vulnerability: CVE-2016-7200; can cause Denial of Service, Execute Code, Overflow, Memory corruption
CVSS Score: 7.6
Patched on November 8, 2016.

Affected software: Microsoft Edge
Vulnerability: CVE-2016-7201; can cause can cause Denial of Service, Execute Code, Overflow, Memory corruption
CVSS Score: 7.6
Patched on November 8, 2016.

Affected software: Internet Explorer versions 9, 10, 11
Vulnerability: CVE-2016-3298;  can obtain information
CVSS Score: 3.6
Patched on October 11, 2016.

Affected software: Silverlight version 5.0
Vulnerability: CVE-2016-0034; can cause Denial of Service, Execute Code
CVSS Score: 9.3
Patched in January 12, 2016.

To give you an example about what could happen if an attacker successfully exploits this vulnerability, here are some details shared by Microsoft last year:

In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This last bit is another good reminder to use a standard account on a daily basis, instead of using an administrator account.

The current drive-by campaign uses the following domains (sanitized for your protection):

mind.pci [.] news – Detection: 4/69 on VirusTotal 

fun.rum [.] news – Detection: 5/68 on VirusTotal 

open.oral [.] news – Detection: 4/69 on VirusTotal

one.pinot [.] news – Detection: 2/68 on VirusTotal

top.penile [.] news – Detection: 4/68 on VirusTotal

end.prayer [.] news – Detection: 5/68 on VirusTotal

top.rvlife [.] news – Detection: 2/68 on VirusTotal

old.prepaid [.] news – Detection: 2/68 on VirusTotal

see.pancreatic [.] news – Detection: 4/69 on VirusTotal

one.salesforce [.] news – Detection: 5/68 on VirusTotal

new.phonesystem [.] news – Detection: 2/68 on VirusTotal

All these domains are part of the so-called Pseudo-Darkleech gateway, which was also used in distributing Cerber ransomware in December 2016 and CrypMIC ransomware earlier, in September 2016.

The RIG exploit kit used in this malicious campaign is the Empire Pack version (RIG-E). This is what the Empire Pack panel looks like:


If this hasn’t persuaded you to automate your updates, maybe cyber security experts and their stories will convince you.

As you can see, cybercriminals often use vulnerabilities already patched by the software developer in their attacks, because they know that most users fail to apply updates when they’re released.

In spite of the wave of attacks, many Internet users still choose to ignore updates, but we hope that alerts such as this one will change their mind and make them more aware of the key security layer that updates represent.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?