This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Adobe 0-day Attack - Using Security Analytics to detect Zero Day exploits

Anonymous
Not applicable
‎2013-02-14 10:12 AM

NOTE: This blog is being posted on behalf of Alex Cox, Principal Research Analyst on the RSA FirstWatch team.  To read more of the FirstWatch team's blogs you can visit their RSA Speaking of Security blog page: http://blogs.rsa.com/author/rsa-first-watch-team/

------------------------------------------------------------------------------------------------------------------

As reported today, yet another zero-day exploit in Acrobat Reader is being used in the wild in targeted attacks.  Details can be found here:

http://www.pcworld.com/article/2027946/researchers-zero-day-pdf-exploit-affects-adobe-reader-11-earlier-versions.html

As is the case in most of these situations, RSA FirstWatch begins analysis of such threats as soon as they are discovered, and this threat is no different. 

One of the things that the team did in regards to PDF exploits was to profile the most common methods and techniques for PDF-based exploitation and document them.  These techniques were then developed into a FlexParser for the RSA Live (aka NetWitness Live) library.


The good news is that the Adobe Zero-Day uses a common “Open” action when exploiting the target workstation and this is detected forensically on the wire using our parser.  While this particular action is not always malicious, it’s unusual enough that it’s worthwhile to look for it in your network traffic on a regular basis.

To detect this attack (and others like it, zero-day or otherwise), use the following pivot in Security Analytics, or NetWitness Investigator:

  1. risk.info = “pdf with open action”

....which will be displayed as follows in the RSA Security Analytics “Investigation” view or in NetWitness Investigator:

If we then reconstruct the session we get additional details:

For RSA Live (aka NetWitness Live)  customers that want to make sure they have this parser loaded, please look for the following in your RSA Live subscription:

In the name of responsible disclosure, we can’t release additional details on the exploit at this time, but this detection offers a generic way for our customers to inspect suspicious PDFs in lieu of a patch from Adobe and/or additional public indicators.


Happy Hunting!


- Alex Cox, Principal Research Analyst,  RSA FirstWatch

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.