Russian hackers looking to take advantage of Adobe Flash vulnerability

Researchers working at enterprise security firm Proofpoint have found that the infamous Fancy Bear hackers are looking to take advantage of a new Adobe Flash vulnerability.

The cyber criminals, who are linked to the Kremlin in Russia, are in a race against time to capitalise on the CVE-2017-11292 bug before it becomes widely known.

They've already targeted a plethora of organisations across Europe and the US, including foreign government entities similar to the US State Department. Aerospace firms have also been affected.

These pesky cyber criminals have been sending a Microsoft Word document called "World War 3", which contains the attack framework DealersChoiceB.

According to the research team, it makes use of the recently-patched Adobe Flash vulnerability to deploy arbitrary code across Windows, Mac OS, Linux and Chrome OS systems.

Despite the fact that this vulnerability was discovered and patched on October 19th, the researchers believe that the Fancy Bear hackers have taken full control of the exploit and have the ability to unravel the deployed patch.

Kaspersky Lab researchers claim that this zero-day exploit was previously exploited by a competing hacking group called BlackOasis, but Fancy Bear has taken lead here.

Fancy Bear hackers have full possession of the exploit, the researchers claim, and they're constantly looking for new targets. It's likely they've purchased or reverse-engineered from the previous attack.

"This malicious document embeds the same Flash object twice in an ActiveX control for an unknown reason, although this is likely an operational mistake," researchers said in a blog post.

"The Flash files work in the same manner as the last known attack using this tool: the embedded Flash decompresses a second Flash object that handles the communication with the exploit delivery server.

"The only difference is that this second Flash object is no longer stored encrypted. There are other signs that this campaign was devised hastily: for example, the actors did not change the decryption algorithm constants as they have in the past.

"These particular constants were already used in a late December 2016 campaign. Each document uses a different domain for victim exploitation, while the communication protocol with the server stayed the same as well."

The researchers claim that the hackers are working to hit new targets: "APT28 appears to be moving rapidly to exploit this newly documented vulnerability before the available patch is widely deployed," they wrote.

"Because Flash is still present on a high percentage of systems and this vulnerability affects all major operating systems, it is critical that organizations and end users apply the Adobe patch immediately.

"APT28 is a sophisticated state-sponsored group that is using the vulnerability to attack potentially high-value targets but it is likely that other threat actors will follow suit and attempt to exploit this vulnerability more widely, whether in exploit kits or via other attack vectors."

Lee Munson, a security researcher at Comparitech.com, added: "A Russian Fancy Bear sounds like it should be the life and soul of a party but this one is in fact a pooper, and Adobe Flash is its unfortunate target.

"Proving that all good vulnerabilities will be exploited, the re-engineered or independently discovered attack method is, unsurprisingly, being used against large, high value government targets and critical businesses, two of the most popular current targets in the world of cyber-shenanigans.

"That's not to say the Kremlin-linked hackers will not go beyond politically motivated targets though, meaning other businesses and individuals alike will need to be on their guard against an exploit that has a liking for a number of Windows and Apple flavoured operating systems.

"As ever, the best way to ensure your systems are not at risk from a Flash based exploit is to not wait for Adobe to kill it off in 2020 but to get rid of the insecure and troublesome tool right away."

Kevin Epstein, VP of the threat operations centre at Proofpoint, told us:

"Many organizations won't be affected by the targeted attacks we observed - they are, by their nature, narrow in scope. This attack exemplifies the techniques of modern state-sponsored targeted attacks, which tightly integrate social engineering with advanced techniques to trick users into clicking on links, opening documents, and enabling embedded code.

However, we tend to see these tools and techniques trickle down to financially motivated actors. This means that a much larger group of organizations will potentially be affected by broader attacks from other threat actors who adopt these exploits in the weeks to come and attempt to leverage this very recently patched Flash vulnerability in exploit kits and malicious attachments.

The message for all organizations, though, is to maintain rigorous patching regimens; the sooner this patch is deployed, the sooner they won't be vulnerable to this particular attack, whether as a potentially high-value target for APT28 or as part of a more ordinary attack later on."