Our corporate business team has a new “software updater” feature in our Protection Service they want to market. So they asked our lab analyst @TimoHirvonen to provide them with an example demonstrating the amount of time it takes to go from vulnerability to exploit.
Here’s what Timo came up with using CVE-2012-1535:
. 2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.
(Security update available for Adobe Flash Player)
. 2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.
(CVE-2012-1535: Adobe Flash being exploited in the wild, CVE-2012-1535 – 7 samples and info)
. 2012-08-17: Exploit is added to Metasploit Framework – a public, open-source tool for developing and executing exploits.
(Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit)
As you can see, it doesn’t take much time at all to commoditize a vulnerability into an exploit.
And then Timo got curious (as he often does) and decided to research the exploit itself, Exploit:SWF/CVE-2012-1535.B.
He did some searching and found this Digital4rensics Blog post, which links to a VirusTotal report on a doc file called 110630_AWE Platinum Partners.doc. Symantec has CVE-2012-1535 post taht shows a censored screenshot of the e-mail (or at least a similar e-mail) with the document attached. And Contagio has a list of multiple Word docs that use the same exploit.
So Timo located a few examples from our back end:
110630_AWE Platinum Partners.doc turned out the be the most interesting. According to the Digital4rensics Blog linked to above, AWE Limited is an Australian Oil & Gas company.
But that didn’t sound right to Timo. He recognized the name Tybrin in one of the other docs, and connected it to Jacobs’ TYBRIN Group, which does U.S. Department of Defense work.
So then, let’s take a look at the decoy document dropped by 110630_AWE Platinum Partners.doc:
“Working together to keep our world safe and secure by ensuring warheads are always available.”
That doesn’t sound related to an oil and gas company.
And so, searching LinkedIn for “Andrew Jupp”, named in the doc, yields this:
It appears that AWE stands for Atomic Weapons Establishment.
AWEsome. Feeling more “safe and secure” than ever.
Hope AWE keeps its Flash installations up to date.
SHA1 of 110630_AWE Platinum Partners.doc: 51bb2d536f07341e3131d070dd73f2c669dae78e
SHA1 of decoy: 0eb24ffa38e52e4a1e928deb90c77f8bc46a8594
Leave a reply