If you were looking for a reason to uninstall Adobe Flash player here it is; an increasingly sophisticated hacking group from North Korea has been exploiting a zero-day vulnerability in Adobe’s Flash Player that gives them access to take full control of infected machines, researchers said Friday.
The alert was issued by South Korea’s Computer Emergency Response Team (KR-CERT), who warned that the Flash Player zero-day vulnerability was being exploited to target Windows users in South Korea. Simon Choi of South Korea-based cybersecurity firm Hauri was the first to sound the alarm bells on Twitter, warning that the hackers have been using the Flash zero-day against South Koreans since mid-2017.
Use-After-Free Vulnerability
Adobe released an advisory on Wednesday, saying the zero-day is exploiting a critical ‘use-after-free’ vulnerability (CVE-2018-4878) in its Flash media software that leads to remote code execution. This critical vulnerability affects Adobe Flash Player version 28.0.0.137 and earlier versions for:
- Desktop Runtime (Win/Mac/Linux)
- Google Chrome (Win/Mac/Linux/Chrome OS)
- Microsoft Edge and Internet Explorer 11 (Win 10 & 8.1)
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,” the advisory said. “These attacks leverage Office documents with embedded malicious Flash content distributed via email. Adobe will address this vulnerability in a release planned for the week of February 5.”
The vulnerability resides in the latest version of the highly popular Flash, according to researchers from Cisco Systems’ Talos group. In a separate statement, Adobe said that versions earlier than current Flash 28.0.0.137 are also vulnerable.
How It Is Being Exploited
According to Talos, the hackers are using a Microsoft Excel document with a malicious object embedded into it to spread the exploit. The moment the SWF object is triggered, it installs ROKRAT, a remote administration tool the group has been tracking since January 2017. Previously, the team behind ROKRAT (referred to as Group 123) had been utilizing the social engineering of older and well-known vulnerabilities that users had not yet patched up. It is only now that the hackers are using a zero-day exploit.
And it is not rocket science. The attackers only need to coax victims into opening Microsoft Office files containing maliciously crafted Adobe Flash file. The attackers can leverage the exploit to control an affected computer. Adobe sought to reassure its customers in its advisory, saying that the company had planned to address the vulnerability in a “release planned for the week of February 5”. However, KR-CERT is advising users to disable or completely remove the buggy software. Also, users are encouraged to refrain from using Microsoft’s Internet Explorer browser and use Mozilla’s Firefox browser instead.
On Thursday, Adobe recommended:
“Beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content. For more details, see this administration guide. Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode,”
Adobe said.
Talos’ researchers Warren Mercer and Paul Rascagneres said in their Friday blog,
“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0day which was outside of their previous capabilities—they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level; we can now confidently say that Group 123 is a highly skilled, motivated and sophisticated group.”
South Korea Targeted
It appears like Group 123 is concentrating its efforts on infecting targets within South Korea. The hackers are reported to be fluent Korean speakers with extensive knowledge of the Korean Peninsula. While the researchers from Talos stopped blaming it on North Korea, one South Korean security researcher posted in a tweet that the Flash exploit was “made by North Korea.” Efforts to obtain more information regarding the tweet from him were fruitless.
There has been a significant drop in the number of in-the-wild attacks exploiting Flash zero-days in the last couple of years, but the risk posed by Adobe remains a bit high compared with the benefits it has for users. With word of vulnerability spreading like a bushfire, other groups may yet exploit it against an even wider audience.
People who rely on sites that require Flash are advised to use Google’s Chrome browser as an alternative as it provides a customized version of the player that’s protected by a security sandbox and can be turned on for specific sites. This is as users wait for Adobe to release a patched version of Flash this week commencing February 5.