Adobe has released an out-of-band security update for Adobe Flash Player that patches a zero-day remote code execution vulnerability actively exploited in the wild.
Kaspersky Lab researchers spotted the live attacks on October 10, 2017, and say that the exploit is delivered through a Microsoft Word document and deploys the most recent version of the FinSpy (aka FinFisher) commercial malware developed by Gamma International.
The attack leveraging CVE-2017-11292
The researchers believe that the zero-day is being leveraged by a threat actor known as BlackOasis, who they also credit for exploiting CVE-2017-8759, another zero day used for distributing FinSpy that has been reported in September.
“The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control server as the payload used with CVE-2017-8759 uncovered by FireEye,” they noted.
Once CVE-2017-11292 is exploited, the FinSpy malware is installed on the target computer and connects to C&C servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data. At the same time, a lure/decoy document is displayed to the victim.
The researchers believe these attacks are minimal and highly targeted, as they flagged only one in their customer base.
BlackOasis has a long history of exploiting zero-days in their attacks – they used at least five since June 2015. Their interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region, the researchers noted. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents.
“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”
According to the security bulletin released by Adobe, the vulnerability is currently being exploited in attacks against users running Windows, but affected product versions also include:
- Adobe Flash Player Desktop Runtime for Macintosh and Linux
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1)
- Adobe Flash Player for Google Chrome (on Windows, Macintosh, Linux and Chrome OS).
All these product versions should be upgraded as soon as possible to version 220.127.116.11, as there can be no doubt that this exploit will soon trickle down to and be used by regular cyber criminals, against a wide array of targets.
Unfortunately, Flash Player tops the list of most outdated programs on users’ PCs.
Users who can do without Flash Player could uninstall it altogether.