These days its perfectly possible to go around the web on your day business without needing to use Adobe’s Flash Player.
In fact, it seems the player is largely around as a vector for infection, with the latest incident being a new zero-day attack identified by Kaspersky Lab which is already being exploited in the wild.
The Kaspersky Lab advanced exploit prevention system has identified a new Adobe Flash zero day exploit, used in an attack on October 10, 2017 by a threat actor known as BlackOasis. The exploit is delivered through a Microsoft Word document and deploys the FinSpy commercial malware. Kaspersky Lab has reported the vulnerability to Adobe, which has issued an advisory.
According to Kaspersky Lab researchers, the zero day, CVE-2017-11292, has been spotted in a live attack, and they advise businesses and government organizations to install the update from Adobe immediately.
The researchers believe that the group behind the attack was also responsible for CVE-2017-8759, another zero day, reported in September – and they are confident that the threat actor involved is BlackOasis, which the Kaspersky Lab Global Research and Analysis Team began tracking in 2016.
The group uses lure documents promising salacious details to tempt targets into opening the documents and playing the infected SWF content, making for wide-spread and effective spear phishing attacks.
“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”
Kaspersky Lab experts advise organizations to take the following actions to protect their systems and data against this threat:
- If not already implemented, use the killbit feature for Flash software and, wherever possible, disable it completely.
- Implement an advanced, multi-layered security solution that covers all networks, systems and endpoints.
- Educate and train personnel on social engineering tactics as this method is often used to make a victim open a malicious document or click on an infected link.
- Conduct regular security assessments of the organization’s IT infrastructure.
- Use Kaspersky Lab’s Threat Intelligence, which tracks cyberattacks, incident or threats and provides customers with up-to-date relevant information that they are unaware of.
For technical details, including indicators of compromise and YARA rules, please read the blogpost on Securelist.com.