Vulnerabilities have been found within Adobe once again. Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign that appears to be targeting a Russian state health care institution before it moves to the rest of the world.
The vulnerability that’s being tracked as CVE-2018-15982, is a use-after-free flaw residing in the Flash PLayer that, if exploited successfully, can allow an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system.
This vulnerability was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal that uses a Ukrainian IP address.
How does this exploit work?
The carefully crafted malicious Microsoft Office documents contained an embedded Flash Active X control in the header of the document that renders when the targeted user opens it, causing exploitation of the reported Flash Player vulnerability. However, according to the researchers, neither the Flash Exploit or the MS file (22.docx) itself contain the final payload to take control over your system.
The final payload is actually hidden inside an image file (scan42.jpg), which is itself an archive file, that has been packed along with the Microsoft Office file inside a parent WinRAR archive which is then distributed through spear-phishing emails, as shown in the video below:
Upon opening the document, the Flash exploit executes a command on the system to unarchive the image file and run the final payload (i.e., backup.exe) which has been protected with VMProtect and programmed to install a backdoor that is capable of:
- Monitoring user activities (Keyboard or moves the mouse)
- Collecting system information and sending it to a remote command-and-control (C&C) server,
- Executing shellcode,
- loading PE in memory,
- downloading files,
- execute code, and
- performing self-destruction.
Gigamon researchers Applied Threat Research whilst Chinese cyber-security firm Qihoo 360 Core Security, who spotted and named the malware campaign as “Operation Poison Needles,” have not attributed the attack to any state-sponsored hacking group.
Am I affected?
The vulnerability impacts Adobe Flash Player versions 18.104.22.168 and earlier for products including Flash Player Desktop Runtime, Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe Flash Player Installer versions 31.0.0108 and earlier is also affected.
Researchers reported the Flash zero-day exploit to Adobe on November 29, after which the company acknowledged the issue and released an updated Adobe Flash Player version 22.214.171.124 for Windows, macOS, Linux, and Chrome OS; and Adobe Flash Player Installer version 126.96.36.199.
This is not the first time this year Adobe has had issues, we reported 11 vulnerabilities (4 critical) that were being patched by the company just in October. If you require assistance with any patching, especially this one, please contact us right away.
If you like to keep up to date with all new alerts, subscribe below.
Other Articles You May Enjoy:
- Tech Patrol, Official IT Providers For The Australian Open
- Australia’s Think Tank Has Been Hit By a Chinese Cyber Attack
- Microsoft Details MFA Outage That Affected Azure, O365, Dynamics, and Other Microsoft Users
- Ransomware Becomes Biggest Threat To SMEs