Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
fireeyeFireEyeFIREEYE:96525D6EA5DBF734A371FB66EB02FA45
HistoryFeb 20, 2018 - 8:30 a.m.

APT37 (Reaper): The Overlooked North Korean Actor

2018-02-2008:30:00
www.fireeye.com
4092

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper).

Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123.

Read our report, APT37 (Reaper): The Overlooked North Korean Actor, to learn more about our assessment that this threat actor is working on behalf of the North Korean government, as well as various other details about their operations:

  • Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
  • Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.
  • Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.
  • Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.
  • Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.

More information on this threat actor is found in our report, APT37 (Reaper): The Overlooked North Korean Actor. You can also register for our upcoming webinar for additional insights into this group.

Related

attackerkb 2
threatpost 9
ubuntucve 1
zdt 3
krebs 2
exploitpack 3
fireeye 7
talosblog 3
symantec 2
cvelist 2
malwarebytes 18
cve 2
prion 2
trendmicroblog 4
seebug 1
myhack58 5
checkpoint_advisories 2
kaspersky 2
packetstorm 1
thn 6
adobe 2
cisa_kev 3
mssecure 1
securelist 30
mscve 2
exploitdb 3
nessus 8
openvas 16
redhatcve 2
mageia 1
redhat 1
freebsd 1
carbonblack 1
qualysblog 5
gentoo 1
mskb 8
ics 1
avleonov 1
attackerkb
attackerkb
CVE-2018-4878
2018-02-06 00:00:00
CVE-2018-0802
2018-01-10 00:00:00
threatpost
threatpost
Massive Spam Campaign Targets Unpatched Systems
2018-02-27 17:55:35
Adobe Patches Zero-Day Vulnerability in Flash Player
2018-12-05 15:18:09
Adobe Flash Player Zero-Day Spotted in the Wild
2018-02-01 15:40:55
ubuntucve
ubuntucve
CVE-2018-4878
2018-02-06 00:00:00
zdt
zdt
Adobe Flash 28.0.0.137 Remote Code Execution Exploit
2018-04-04 00:00:00
Flash ActiveX 28.0.0.137 - Code Execution Exploit (2)
2018-05-24 00:00:00
Flash ActiveX 28.0.0.137 - Code Execution Exploit (1)
2018-05-24 00:00:00
krebs
krebs
Attackers Exploiting Unpatched Flaw in Flash
2018-02-02 14:21:06
Microsoft’s Jan. 2018 Patch Tuesday Lowdown
2018-01-10 16:07:35
exploitpack
exploitpack
Adobe Flash 28.0.0.161 - Use-After-Free
2018-04-06 00:00:00
Flash ActiveX 28.0.0.137 - Code Execution (2)
2016-02-13 00:00:00
Flash ActiveX 28.0.0.137 - Code Execution (1)
2016-02-16 00:00:00
fireeye
fireeye
Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations
2018-02-02 21:15:00
Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations
2018-02-03 02:15:00
Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill — Intelligence for Vulnerability Management, Part One
2020-04-06 00:00:00
talosblog
talosblog
Flash 0-Day In The Wild: Group 123 At The Controls
2018-02-02 08:27:00
Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2
2018-07-24 22:24:00
Microsoft Patch Tuesday - January 2018
2018-01-09 13:36:00
symantec
symantec
Adobe Flash Player CVE-2018-4878 Use After Free Remote Code Execution Vulnerability
2018-02-01 00:00:00
Microsoft Office CVE-2018-0802 Memory Corruption Vulnerability
2018-01-09 00:00:00
cvelist
cvelist
CVE-2018-4878
2018-02-06 20:00:00
CVE-2018-0802
2018-01-09 00:00:00
malwarebytes
malwarebytes
New Flash Player zero-day comes inside Office document
2018-02-05 20:55:16
Week in security (February 26 – March 4)
2018-03-05 17:00:00
Hermes ransomware distributed to South Koreans via recent Flash zero-day
2018-03-14 17:59:32
cve
cve
CVE-2018-4878
2018-02-06 21:29:00
CVE-2018-0802
2018-01-10 01:29:00
prion
prion
Design/Logic Flaw
2018-02-06 21:29:00
Remote code execution
2018-01-10 01:29:00
trendmicroblog
trendmicroblog
This Week in Security News: Trends and Tea Parties
2018-03-02 14:35:07
This Week in Security News: Botnets and Breaches
2018-02-09 14:00:56
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of February 5, 2018
2018-02-09 16:55:38
seebug
seebug
Adobe Flash Player Use After Free Remote Code Execution Vulnerability(CVE-2018-4878)
2018-02-23 00:00:00
myhack58
myhack58
CVE-2018-4878 case: for a Hong Kong Telecommunications Company website is intrusion investigations-vulnerability and early warning-the black bar safety net
2018-04-10 00:00:00
To see the Hidden Bee how to use a new vulnerability propagation-vulnerability warning-the black bar safety net
2018-08-07 00:00:00
A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net
2018-12-25 00:00:00
checkpoint_advisories
checkpoint_advisories
Adobe Flash Player Use After Free (APSB18-03: CVE-2018-4878)
2018-02-04 00:00:00
Microsoft Office Equation Memory Corruption Remote Code Execution (CVE-2018-0802)
2018-01-08 00:00:00
kaspersky
kaspersky
KLA11191 Multiple use-after-free vulnerabilities in Adobe Flash Player
2018-02-01 00:00:00
KLA11170 Multiple vulnerabilities in Microsoft Office
2018-01-09 00:00:00
packetstorm
packetstorm
Adobe Flash 28.0.0.137 Remote Code Execution
2018-04-04 00:00:00
thn
thn
(Unpatched) Adobe Flash Player Zero-Day Exploit Spotted in the Wild
2018-02-01 19:10:00
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant
2023-09-06 13:50:00
New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer
2021-05-03 07:34:00
adobe
adobe
APSA18-01 Security Advisory for Adobe Flash Player
2018-02-01 00:00:00
APSB18-03 Security updates available for Adobe Flash Player
2018-02-06 00:00:00
cisa_kev
cisa_kev
Adobe Flash Player Use-After-Free Vulnerability
2021-11-03 00:00:00
Microsoft Office Memory Corruption Vulnerability
2021-11-03 00:00:00
Microsoft Office Memory Corruption Vulnerability
2021-11-03 00:00:00
mssecure
mssecure
Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks
2018-11-28 21:46:48
securelist
securelist
The leap of a Cycldek-related threat actor
2021-04-05 10:00:22
MosaicRegressor: Lurking in the Shadows of UEFI
2020-10-05 10:00:45
IT threat evolution Q1 2018. Statistics
2018-05-14 10:00:30
mscve
mscve
Microsoft Office Memory Corruption Vulnerability
2018-01-09 08:00:00
February 2018 Adobe Flash Security Update
2018-02-06 08:00:00
exploitdb
exploitdb
Flash ActiveX 28.0.0.137 - Code Execution (1)
2016-02-16 00:00:00
Flash ActiveX 28.0.0.137 - Code Execution (2)
2016-02-13 00:00:00
Adobe Flash < 28.0.0.161 - Use-After-Free
2018-04-06 00:00:00
nessus
nessus
Adobe Flash Player <= 28.0.0.137 Use-after-free Remote Code Execution (APSA18-01) (APSB18-03)
2018-02-05 00:00:00
KB4074595: Security update for Adobe Flash Player (February 2018)
2018-02-07 00:00:00
RHEL 6 : flash-plugin (RHSA-2018:0285)
2018-02-08 00:00:00
openvas
openvas
Adobe Flash Player Within Google Chrome Multiple RCE Vulnerabilities (APSA18-01) - Windows
2018-02-02 00:00:00
Adobe Flash Player Multiple Remote Code Execution Vulnerabilities - Windows
2018-02-02 00:00:00
Adobe Flash Player Within Google Chrome Multiple RCE Vulnerabilities - Linux
2018-02-02 00:00:00
redhatcve
redhatcve
CVE-2018-4878
2018-02-05 11:19:42
CVE-2018-4877
2018-02-06 20:19:59
mageia
mageia
Updated flash-player-plugin packages fix security vulnerability
2018-02-07 16:50:37
redhat
redhat
(RHSA-2018:0285) Critical: flash-plugin security update
2018-02-07 17:47:53
freebsd
freebsd
Flash Player -- multiple vulnerabilities
2018-01-31 00:00:00
carbonblack
carbonblack
Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)
2019-12-10 15:34:53
qualysblog
qualysblog
Intel Makes Spectre Patch Progress, while Adobe Grapples with Latest Flash Bug
2018-02-09 15:20:40
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
2019-12-27 18:01:22
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
2023-07-18 13:38:53
gentoo
gentoo
Adobe Flash Player: Multiple vulnerabilities
2018-03-19 00:00:00
mskb
mskb
Description of the security update for Office 2013: January 9, 2018
2018-01-09 08:00:00
Description of the security update for Office 2010: January 9, 2018
2018-01-19 08:00:00
Description of the security update for 2007 Microsoft Office Suite: January 9, 2018
2018-01-19 08:00:00
ics
ics
Top 10 Routinely Exploited Vulnerabilities
2020-05-12 12:00:00
avleonov
avleonov
September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM
2023-09-30 19:31:42

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON
Related for FIREEYE:96525D6EA5DBF734A371FB66EB02FA45
attackerkb2threatpost9ubuntucve1zdt3krebs2exploitpack3fireeye7talosblog3symantec2cvelist2malwarebytes18cve2prion2trendmicroblog4seebug1myhack585checkpoint_advisories2kaspersky2packetstorm1thn6adobe2cisa_kev3mssecure1securelist30mscve2exploitdb3nessus8openvas16redhatcve2mageia1redhat1freebsd1carbonblack1qualysblog5gentoo1mskb8ics1avleonov1