There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.
KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.
“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.
The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.
Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,
“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”
Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.
According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”
In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.
There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.
As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”