Adobe has issued an unscheduled update to correct flaws in Adobe Flash Player, including a zero-day vulnerability that is currently being exploited in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare facility that provides medical and cosmetic surgery services to high level civil servants of the Russian Federation.
The zero-day flaw is a use-after-free vulnerability – CVE-2018-15982 – which allows arbitrary code execution and privilege execution in Flash Player. A malicious Flash object runs malicious code on a victim’s computer which gives command line access to the system.
The vulnerability was discovered by security researchers at Gigamon ATR who reported the flaw to Adobe on November 29. Researchers at Qihoo 360 identified a spear phishing campaign that is being used to deliver a malicious document and associated files that exploit the flaw. The document used in the campaign was a forged employee questionnaire.
The emails included a .rar compressed file attachment which contained a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document opened, the user is presented with a warning that the document may be harmful to the computer. If the content is enabled, a malicious command is executed which extracts and runs the payload – A Windows executable file named backup.exe that is disguised as an NVIDIA Control Panel application. Backup.exe serves as a backdoor into a system. The malicious payload collects system information which is sent back to the attackers via HTTP POST. The payload also downloads and executes shell code on the infected device.
Qihoo 360 researchers have named the campaign Operation Poison Needles due to the identified target being a healthcare clinic. While the attack appears to be politically motivated and highly targeted, now that details of the vulnerability have been released it is likely that other threat groups will use exploits for the vulnerability in more widespread attacks.
It is therefore important for businesses that have Flash Player installed on some of their devices to update to the latest version of the software as soon as possible. That said, uninstalling Flash Player, if it is not required, is a better option given the number of vulnerabilities that are discovered in the software each month.
The vulnerability is present in Flash Player 126.96.36.199 and all earlier versions. Adobe has corrected the flaw together with a DLL hijacking vulnerability in version 188.8.131.52.