The zero-day Flash Player vulnerability (CVE-2018-4878) that Adobe warned about on Thursday was leveraged by North Korean hackers.
FireEye calls the group TEMP.Reaper and Cisco researchers named it Group 123 (and have been tracking their exploits for a while).
The threat actors leveraging the Flash zero-day
“We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government’s Post and Telecommunications Corporation and Thailand-based Loxley Pacific,” FireEye researchers noted.
“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”
In this latest attack, first flagged by the South Korean CERT, the targets were obviously South Korean.
The Excel file carrying an embedded SWF file with the exploit is in Korean.
“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims,” FireEye researchers shared.
Cisco researchers call the malware ROKRAT, and it allows attackers to fiddle with the compromised system remotely.
“One of the ROKRAT samples identified used a naming reference to Hancom Secure AnySign. It is a reference to a legitimate application developed by Hancom Secure for PKI & authentication mechanisms. It is a software application used to protect user data and is massively used in South Korea,” they explained.
“This payload is a shellcode loaded in memory and executed. We identified Flash exploits from November 2017.”
Mitigation and fixes
This was apparently an extremely targeted attack, and it is unlikely that anyone else is taking advantage of the exploit – for now. Still, with the vulnerability now public, it’s likely that criminals are already working on creating an exploit.
Adobe has said it “will address this vulnerability in a release planned for the week of February 5.”
In the meantime, they advised enterprise administrators to consider implementing Protected View for Office, so potentially unsafe files are opened in Read-only mode.
End users could temporarily uninstall Flash if they don’t particularly need it.
“The most common ‘need’ we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all,” Sophos’ Paul Ducklin noted.
He also pointed out that just turning off Flash in your browser isn’t enough to remove the risk of this particular attack – the Flash Player software has to be removed from the computer as a whole.
If you choose to continue using Flash Player, implement the security updates when they are released or as soon as possible.
UPDATE (February 6, 2018):
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS, to fix CVE-2018-4878 and another critical vulnerability that could lead to remote code execution in Adobe Flash Player 188.8.131.52 and earlier versions.