Lucene search

K
thnThe Hacker NewsTHN:1E17CFED2DC9622E7D01A332EDE9F110
HistoryDec 06, 2018 - 11:22 a.m.

New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

2018-12-0611:22:00
The Hacker News
thehackernews.com
115

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

adobe flash player zero day vulnerability

Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign appears to be attacking a Russian state health care institution.

The vulnerability, tracked as CVE-2018-15982, is a use-after-free flaw resides in Flash Player that, if exploited successfully, allows an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system.

The newly discovered Flash Player zero-day exploit was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal from a Ukrainian IP address.

The maliciously crafted Microsoft Office documents contain an embedded Flash Active X control in its header that renders when the targeted user opens it, causing exploitation of the reported Flash player vulnerability.

According to cybersecurity researchers, neither the Microsoft Office file (22.docx) nor the Flash exploit (inside it) itself contain the final payload to take control over the system.

Instead, the final payload is hiding inside an image file (scan042.jpg), which is itself an archive file, that has been packed along with the Microsoft Office file inside a parent WinRAR archive which is then distributed through spear-phishing emails, as shown in the video below:

Upon opening the document, the Flash exploit executes a command on the system to unarchive the image file and run the final payload (i.e., backup.exe) which has been protected with VMProtect and programmed to install a backdoor that is capable of:

  • monitoring user activities (keyboard or moves the mouse)
  • collecting system information and sending it to a remote command-and-control (C&C) server,
  • executing shellcode,
  • loading PE in memory,
  • downloading files
  • execute code, and
  • performing self-destruction.
    Researchers from Gigamon Applied Threat Research and Chinese cyber-security firm Qihoo 360 Core Security, who spotted and named the malware campaign as “Operation Poison Needles,” have not attributed the attack to any state-sponsored hacking group.

However, since the maliciously crafted documents in question purport to be an employment application for a Russian state healthcare clinic that is affiliated to the Presidential Administration of Russia and was uploaded on VirusTotal from a Ukrainian IP, researchers believe the attackers could be from Ukraine, considering the political tension between the two countries.

The vulnerability impacts Adobe Flash Player versions 31.0.0.153 and earlier for products including Flash Player Desktop Runtime, Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe Flash Player Installer versions 31.0.0.108 and earlier is also affected.

Researchers reported the Flash zero-day exploit to Adobe on November 29, after which the company acknowledged the issue and released updated Adobe Flash Player version 32.0.0.101 for Windows, macOS, Linux, and Chrome OS; and Adobe Flash Player Installer version 31.0.0.122.

The security updates include a patch for the reported zero-day flaw, along with a fix for an “important” DLL hijacking vulnerability (CVE-2018-15983), which could allow attackers to gain privilege escalation via Flash Player and load a malicious DLL.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

Related for THN:1E17CFED2DC9622E7D01A332EDE9F110