Security experts at FireEye discovered a critical heap buffer overflow vulnerability, coded CVE-2015-3113, that affects Adobe systems. FireEye discovered that the Adobe flaw is being exploited in the wild by the hacking crew APT3 that has targeted a number of industries, including the telecommunications, transportation and aerospace and defense sectors.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.” Adobe stated in a security advisory.
The expert explained that systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP are vulnerable to the cyber attacks.
The attack vector is once again the email, according to FireEye, the attackers send messages containing links to compromised web servers that were used to serve both harmless content or a malicious Adobe Flash Player exploit for the CVE-2015-3113.
“In June, FireEye’s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113). The attackers’ emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113.” states FireEye in the blog post.
The attack exploits flaw vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files.
“Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.”
In November 2014, researchers at FireEye spotted a new advanced persistent threat group dubbed APT3, which was using exploits targeting recently disclosed vulnerabilities in Windows. The experts speculate that APT3 group is the same threat actor behind the “Operation Clandestine Fox” uncovered by the company in April 2014. APT3 exploited an IE zero-day vulnerability in a series of targeted attacks, and later it exploited a series of flaws in Microsoft OS, including the CVE-2014-6332 vulnerability that remained exploitable for 18 years before the update.
FireEye reported in a blog post the details of the attacks run by the APT3 that exploited the Windows OLE bug and also another Windows privilege escalation vulnerability (CVE-2014-4113).
It is essential to patch as quickly as possible this new Adobe vulnerability, before other criminal groups will integrate it in their crimeware kits.
(Security Affairs – CVE-2015-3113, Adobe)