New Adobe Flash zero-day exploit allows attackers to compromise trusted sites and hijack end users’ computers
Security researches on Tuesday warned that a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player are being exploited by the attackers so that the malware can be secretly installed on end users’ computers.
Researchers from antivirus provider Trend Micro said in a blog post published on Tuesday that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day in the last couple of years.
The researchers wrote:
In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit. In this wave of attacks, the emails were about the following topics:
“Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”
It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.
Once the initial element of surprise decreases, it is not unusual for such zero-day exploits to be more widely distributed. The critical security flaw is known to reside in Flash versions 220.127.116.11 and 18.104.22.168 and may also affect earlier versions. No other technical details are available at this early stage.
In the recent months, Pawn Storm found particular interest in foreign affairs ministries. The group in the past has targeted artists, journalists and politicians in Russia. It has also infected the iOS devices of news organizations and Western governments. Some researchers have linked the espionage campaign to the Russian government, but the usual disclaimers about attribution of hacks apply.
Besides malware attacks, fake Outlook Web Access (OWA) servers were also established for various ministries, which are used for simple, but very effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015.
An Adobe spokeswoman said that company researchers are in the process of investigating the proof-of-concept exploit received on Tuesday morning. One would not be surprised to see Adobe publish an emergency update in the next few days, if the exploit is confirmed.
Since it’s not uncommon for attackers to compromise trusted sites and use them to attack the people who visit them, it’s always a good practice to disable Flash on as many sites as possible. By default, many of the browsers offer a click-to-play mechanism that blocks Flash-based content for each site visited unless clearly approved by the end user. However, a more absolute approach would be to uninstall Flash completely.