Stop us if you’ve heard this one: A Flash zero-day vulnerability is being actively targeted in the wild.
Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982, prompting Adobe to release an out-of-band update to patch up the flaw.
In its current form, the attack bundles exploit code for the Flash zero-day (a use-after-free bug) with an ActiveX call that is embedded within an Office document. The attacker delivers the document via a spear-phishing email. ATR noted that some of the samples appear to mimic documents from a Russian medical clinic, though others were not specifically targeted towards any one company or group.
When the target opens the poisoned Doc, the ActiveX plug-in calls up Flash Player to run the attack code. From there, CVE-2018-15982 is exploited and the malware looks to download its real payload; a remote control tool that collects system info and relays it to a command and control system.
Did you hear? There’s a critical security hole that lets web pages hijack computers. Of course it’s Adobe Flash’s fault
ATR noted that the attack pattern bears a striking resemblance to the type of exploits performed by software from Hacking Team, the notorious Italian mercenary crew that pitches its services out to government agencies.
The researchers are hesitant, however, to declare this the definite work of Hacking Team, as opposed to a lookalike operation that mimics its techniques.
“While attribution is going to be difficult in this scenario given the evidence we had within the timeframe of analysis, it is really not needed for detection purposes,” ATR said.
“At best, it could aid the victim’s organization in determining intent and guiding response actions, but in reality, whether it is Hacking Team, a impersonator, or completely unrelated, the fact remains a valid zero-day might have been used to perform targeted exploitation against a victim.”
In the meantime, Adobe has issued a patch to address both CVE-2018-15982 and CVE-2018-15983, a separate DLL hijacking privilege escalation flaw reported by Souhardya Sardar of Central Model School Barrackpore.
Users and admins are advised to test and install the patch as soon as possible. ®