Endpoint Security , Fraud Management & Cybercrime , Incident & Breach Response
Malicious Spreadsheets With Embedded Flash Trace to North Korean Attackers
Last week, the cyber attack against the hackers-for-hire firm Hacking Team, led to a theft of 400gb of data that exposed two Adobe Flash Player vulnerabilities. Safety for every device. Security is no longer a one-machine affair. Feb 17, 2018 SMS You can hack someones KiK and read Text Spy App, Text message spy. Por favor sea lubango city of phoenix que significa ecologismo y ecologia balkanica civilization 4 patch 1. 09 update adobe paper bag crafts for toddlers antiitch remedies for bug bites peter barbera navigant travel hillegommerdijk lukas 33 fkm javorka snv boxnummer.
(euroinfosec) • February 7, 2018
Wary of nation-state attackers, government malware developers, criminals or bored teenagers wielding automated attack tools? Stop using Adobe Flash.
Adobe Flash Hack
Indiana jones 4 and the fate of atlantis rapidshare scummvm. See Also:10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys
That's the obvious takeaway following the news that a group of attackers with apparent ties to the government of North Korea have been exploiting a zero-day vulnerability in the Flash browser plug-in.
On Tuesday, Adobe released new versions of Flash for Windows, Macintosh, Linux and Chrome OS that include a patch for the flaws, both of which are use-after-free vulnerabilities designated CVE-2018-4877 and CVE-2018-4878.
Affected Versions of Flash
For both flaws, 'a successful attack can lead to arbitrary code execution,' the Common Vulnerabilities and Exposures database warns, meaning that hackers could remote seize control of a system and seize all of its data.
'Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,' reads an Adobe security alert released Tuesday. 'These attacks leverage Office documents with embedded malicious Flash content distributed via email.'
Credit for finding CVE-2018-4878 goes to South Korea's Internet and Security Agency KISA, aka KrCERT/CC, which published a security alert on Jan. 31. It recommended removing all instances of Flash Player until a patch was available.
This is not the first time that security experts have warned individuals and organizations that use Flash to immediately remove the plug-in from their systems (see Emergency Flash Patch Battles Ransomware).
In fact for years, the prevailing security wisdom has been that unless organization or individuals can identify a solid business reason for using Flash, it would be safer to avoid it (see 2016 Resolution: Ditch Flash).
Flash-Carrying Excel Spreadsheet Attacks
On Friday, information security researchers at Cisco's Talos group reported that it had recovered a malicious Microsoft Excel spreadsheet, written in Korean, that exploits CVE-2018-4878 via an embedded Flash object. Simply opening the document can allow it to download a malware payload from several compromised South Korea websites and then execute it.
How Attacks Proceed
'We identified that the downloaded payload is the well-known remote administration tool named ROKRAT,' the Cisco Talos researchers write in a blog post. The RAT, which they discovered last April, is now well known and 'is particularity used with cloud platforms in order to exfiltrate documents and manage infected systems,' they say.
Fake Anime at Work
ROKRAT has been previously seen in numerous attacks, including phishing campaigns that use malicious Word documents. It includes numerous capabilities designed to help it evade detection.
'Researchers found that ROKRAT has a feature to detect if the victim's system is running any processes associated with malware detection, debugging tools, or sandbox environments,' researchers at security firm AlienVault said in a blog post published last year. 'If detected, the malware will generate dummy HTTP traffic to legitimate websites, including Amazon and Hulu' - as well as Twitter - 'to mask its malicious activities. To the untrained eye, the victim appears to be watching anime at work.'
Attacker: Group 123
Cisco Talos researchers say ROKRAT appears to be a tool developed and used by a hacking team designated 'Group 123,' which appears to have ties to North Korea. Last month, the researchers said they'd traced at least six attack campaigns last year to the group. Targets included South Korean organizations as well as international organizations.
Adobe Flash Hack Mac
But Group 123 has never before been tied to the use of a zero-day vulnerability, they say, leading them to rate the hacking team as 'highly skilled, highly motivated and highly sophisticated.'
Costin Raiu, director of Kaspersky Lab's global research and analysis team, notes that each infection sends a unique ID to the compromised website, which returns a short decryption key that allows the attack to proceed. Without the decryption key, however, security researchers would likely have a difficult time analyzing the attack code.
No decryption key, no fun. Key server was at: hxxp://www[.]dylboiler[.]co[.]kr/admincenter/files/board/4/manager[.]php
— Costin Raiu (@craiu) February 2, 2018
Cisco is guessing attackers used their zero-day attack on prized targets. 'Whilst Talos do not have any victim information related to this campaign, we suspect the victim has been a very specific and high value target,' they write. Cab drivers cough linctus. 'Utilizing a brand new exploit, previously not seen in the wild, displays they were very determined to ensure their attack worked.'
Flash Set to Retire in 2020
The Flash-using campaign against South Koreans is a reminder that attackers can potentially exploit any software - including browser plug-ins - present on a PC.
But where browsers and plug-ins are concerned, security strides are being made. Since 2016, attacks launched via automated exploit kits, designed to infect websites with drive-by attack software that targets known vulnerabilities in browsers, have been in decline. Many experts say that's thanks to security improvements on numerous fronts, including both browser makers plug-in makers strengthening their software and adding auto-update functionality. That's left would-be attackers with fewer widely installed vulnerabilities that they can easily exploit en masse.
Adobe, meanwhile, last year signaled that it plans to retire Flash by 2020 due to declining usage and a move to HTML5.
For anyone concerned about being exploited via a known or as-yet-unknown flaw in the Adobe plug-in now or in the future, why wait for Flash's retirement party?
Do you still use Adobe's Flash Player? Maybe not as much as before, right? Browser makers are all trying their best to finally lay Flash on its deathbed. Its decline has been a slow but steady downward spiral since it is a perennial target for hackers and it is a known computer resource hog that crashes computers regularly.
And yet, Flash is still alive and kicking and plenty of websites still use it to display their content. So stop us if you've heard this one before, if you're still a Flash holdover, update it now!
Adobe rushed another emergency patch to fix a zero-day vulnerability, and it's critical that you update your Flash software as soon as you can.
Flash Game Hack
Note: Zero-day vulnerabilities are dangerous since they are previously unknown software exploits that are already being used by hackers even before the software makers are made aware of them.
Another zero-day Flash flaw
Adobe has recently issued another out-of-band emergency patch for its infamous Flash software for a critical zero-day bug that it is already being exploited by hackers.
Security researchers from Chinese cybersecurity firm Qihoo 360 discovered the flaw after spotting a targeted Advanced Persistent Threat Attack (APT) aimed at a Russian medical clinic. This facility is known for providing health-care and cosmetic services to high-level Russian Federation employees and famous Russian scientists and artists.
Codenamed 'Operation Poison Needles' by Qihoo, the zero-day attack sneaks in via a RAR-compressed Word document disguised as a seven-page job application questionnaire. Embedded within the document is a Flash Active X object which harbors the exploit.
The method of distribution for this attack? The booby-trapped document is sent via phishing emails to the intended targets. If a target opens the document and allows the embedded Flash Active X object to execute, the malicious code will then escalate its system privileges via the zero-day exploit and download a remote spying tool.
Adobe Flash Hack FixThe bugs
The critical vulnerability is now known as 'use after free' bug (CVE-2018-15982), and Adobe warns that a successful exploit could lead to remote code execution.
Another important fix is also included in the emergency patch (CVE-2018-15983), and this one addresses a privilege escalation vulnerability due to DLL hijacking.
Who's responsible for the attacks?
Qihoo 360 said that the source of the attacks is still under investigation but due to the clientele of the targeted Russian polyclinic, it is likely that it is political in nature.
The zero-day exploit's code also has similarities with the hacking exploits deployed by the Italian spyware developer HackingTeam which interestingly, had its tools leaked back in 2015.
This suggests that this current Flash attack may be from a separate hacking group who gained possession of HackingTeam's leaked exploits and is now using the tools for political ends.
However, the main thing you need to know about this incident is that the zero-day flaw is out there and other enterprising cybercrooks will inevitably exploit it too. If you're still using Flash on a regular basis, update your software now!
How to update Flash
If you still rely on using Flash Player for websites (you shouldn't), it's important that you update to the latest version 32.0.0.101 immediately.
Here's how to update your system's Flash software:
For Chrome, Internet Explorer 11 and Microsoft Edge browsers, the updates should be applied automatically after a restart. For other browsers, you may need to update the Flash plugin manually.
--> Click here to use our Adobe Flash Update Tool guide for download and install instructions.
The latest Flash Player version for Windows, Mac, Chrome, Microsoft Edge and Internet Explorer 11 and Linux is 32.0.0.101. The latest Adobe Flash Player Windows installer is version 31.0.0.122.
If you have a new Apple Watch, this potentially life-saving feature is now online
As smart tech becomes more and more part of our everyday lives, sometimes we can focus on the entertainment or social value of these incredible devices. But there is so much more this tech can do. The new Apple Watch has some amazing features, but one of these might just be able to save your life. This could change the way we see these smart gadgets.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |