Hackers race to use Flash exploit before vulnerable systems are patched

APT28 threat group is moving fast in the hope that targets haven't yet installed a recently released patch to fix the recently uncovered exploit
Written by Danny Palmer, Senior Writer

State-backed hackers are looking to use the exploit before organisations have patched against it.

Image: iStock

Hackers are rushing to exploit a zero-day Flash vulnerability to plant surveillance software before organisations have time to update their systems to patch the weakness.

Uncovered by researchers at Kaspersky Lab on Monday, the CVE-2017-11292 Adobe Flash vulnerability allows attackers to deploy a vulnerability which can lead to code execution on Windows, Mac, Linux, and Chrome OS systems.

The exploit enables the delivery of malicious Word documents bundled with malware for example to allows attackers to snoop on communications, eavesdrop on video messages and calls, and steal files.

Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Adobe Flash Player for Microsoft Edge, and Internet Explorer 11 are all affected by the vulnerability and organisations are urgently told to install the critical update.

As a result, attackers are moving quickly to exploit it while they can and researchers at Proofpoint have attributed a campaign designed to spread trojan malware using the vulnerability to APT28 - also known as Fancy Bear - a Russian hacking group with links to the Kremlin.

The campaign to exploit the Flash vulnerability has been sent to government offices in Europe and the US specialising in foreign relations - researchers liken them to "entities equivalent to the State Department" - as well as private businesses in the aerospace industry.

See also: Cyberwar: A guide to the frightening future of online conflict

The widespread nature of the campaign - compared with other APT28 attacks - is likely an attempt by the attackers to get as much as they can from exploiting the Flash vulnerability before organisations get around to patching it.

"Not surprisingly, they want to benefit from it as quickly as possible. Most likely, they are attacking as many interesting targets as possible in the small timeframe they have," Kevin Epstein, VP of the Threat Operations Center at Proofpoint told ZDNet.

"The attack appears to have been less targeted than we might otherwise expect as the attackers burn the exploit"

In this instance, the malicious payload is delivered in a Word document titled "World War 3.docx" which contains text lifted from an article by a UK newspaper on North Korea, first published on Tuesday.


The Fancy Bear decoy document used in the campaign.

Image: Proofpoint

Within the document is 'DealersChoice' an attack framework previously attributed to Russian hackers, which has now been bundled with the Flash vulnerability, in a similar way to which the group has done so with previous campaigns. Once installed on the system, the malware can be used as an effective espionage tool.

Researchers found that the exploitation was effective on systems using Windows 7 with Flash and Microsoft Office 2013 and Windows 10 build 1607 with Flash and Microsoft Office 2013. Unlike the previously uncovered campaign exploiting the vulneraliity, Mac OS doesn't seem to be targeted in these attacks.

It's therefore critical that the patches are applied in order to protect against these attacks.

"APT28 appears to be moving rapidly to exploit this newly documented vulnerability before the available patch is widely deployed," said researchers.

"Because Flash is still present on a high percentage of systems and this vulnerability affects all major operating systems, it is critical that organizations and end users apply the Adobe patch immediately,"
Proofpoint have also warned how other threat actors are likely to follow in attempting to exploit this relatively fresh vulnerability while they still can.

Editorial standards