Cisco is joining the growing list of vendors that are reporting a surge in Adobe Flash-related exploits in 2015. Flash will set an all-time record for the number of CVE (common vulnerabilities and exposures) reported this year, predicts Cisco's midyear 2015 security report.
At the midway point Cisco's data shows a 66 percent increase in the number of Flash CVE that have been publicly reported so far this year.
Similarly, Trustwave's 2015 Global Security report found that Adobe Flash is the most exploited application so far in 2015. And Intel Security reported a 317 percent increase in the number of Adobe Flash malware samples that it has detected in 2015.
The Angler exploit kit is one of the primary ways that Flash exploits are being delivered, found Cisco. Angler doesn't just use Flash, though. It also makes use of an evasion technique known as "domain shadowing" to avoid detection. With domain shadowing, an attacker compromises a domain name registrant’s account and then registers a subdomain under the compromised domain.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
According to Cisco's report, more than three quarters of known subdomain activity by exploit kit authors since December 2014 can be attributed to Angler.
Java Exploits and Spam
While Flash vulnerabilities and attacks are rising, spam is not. Cisco reports that the volume of global spam it sees is relatively consistent in 2015 to past years. U.S. spam volume was 35.90 billion emails per day in December 2014 and grew to 40.97 billion daily emails in May of 2015. In contrast, spam volume in China dropped from 30.45 billion spam messages per day in December 2014, to 20.79 billion spam
Also of note is a reported decline in Java exploits. In 2014, Cisco reported that Java was a primary cause of 91 percent of all attacks.
"Java used to be a favored attack vector for online criminals, but security improvements and stepped-up patching efforts have forced attackers away from it," the Cisco report states. "No zero-day exploits for Java have been disclosed since 2013."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.