According to the experts from Kaspersky Lab, an APT group dubbed ScarCruft exploited a zero day vulnerability (CVE-2016-4171) in Adobe Flash Player. The group launched a series of attacks against high-profile targets against entities in Russia, Nepal, South Korea, China, Kuwait, India and Romania.
The ScarCruft APT exploited two vulnerabilities, a flaw in Flash Player and a Microsoft XML Core Services (MSXML) vulnerability (CVE-2016-0147) affecting Microsoft Windows. This second flaw can be exploited through Internet Explorer, Microsoft issued a security patch in April, but hackers exploited before the fix was released.
The Flash Player flaw CVE-2016-4171 affects versions 22.214.171.124 and earlier for Windows, Mac, Linux and Chrome OS, according to Kaspersky a threat actor behind the “Operation Daybreak” used it in targeted attacks conducted March 2016.
“Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims.” explained Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab. “The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.”
According to Adobe a security patch will be available as early as June 16.
“Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”
Kaspersky plans to release more details on the ScarCruft ATP group and its attacks after Adobe will release a patch, fortunately Microsoft EMET is effective for the mitigation of such kind of attacks.
Stay Tuned …
Security Affairs – (ScarCruft APT, Adobe)