Adobe Patches Zero-day Vulnerability Used in Cyberespionage

Adobe has released an emergency/out-of-band security update (APSB17-32, for versions 27.0.0.159 and 27.0.0.130) for Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS. The update addresses a zero-day vulnerability (CVE-2017-11292) that researchers found actively exploited by a group of threat actors known as BlackOasis.

According to researchers, BlackOasis exploits CVE-2017-11292 to distribute the information-stealing malware FinSpy, also known as FinFisher(detected by Trend Micro as BKDR_FINSPY.A, TROJ_FRS.0NA003JC17, and WORM.Win32.TRX.XXPE002FF019). Last September, the group used a separate remote code execution (RCE) vulnerability (CVE-2017-8759) to deliver a variant of the spyware, which is reportedly being sold by its developers and operators as a suite of surveillance software. Researchers note that the attacks they’ve observed in the wild are targeting Windows machines.

BlackOasis’s attack involves the use of spear-phishing emails sent to targets of interest. These malicious emails are attached with a Flash exploit within an ActiveX object embedded in a Word document. The infection chain is multi-stage, using several scripts to retrieve, decrypt, and execute the payload.

CVE-2017-11292 is a memory corruption flaw that can let an attacker execute arbitrary code on a vulnerable system when successfully exploited. Attackers can lure victims with specially crafted Flash content. While it’s currently reported to be used in targeted attacks, its public disclosure is likely to make others employ it for their own cybercriminal activities. In fact, some of the other vulnerabilities that BlackOasis use in their campaigns have been employed by other cyberespionage and cybercriminal groups:

BlackOasis uses sociopolitical themes as social engineering lures. Like other cyberespionage groups such as BlackTech, ChessMaster, and Pawn Storm, BlackOasis employs decoy documents to divert the would-be victim’s attention away from their ulterior motive: steal confidential, mission-critical information. The researchers that monitored BlackOasis note that it is currently targeting Middle Eastern politicians and United Nations officers, as well as journalists and activists. BlackOassis’s activities and FinSpy were also observed in Russia, the U.K., Afghanistan, Iraq, Iran, and African countries.

Indeed, vulnerabilities are the bread and butter for many targeted attacks, and patching plays a crucial role in defending against them. In the first half of 2017, 382 new vulnerabilities were reported and disclosed via Trend Micro’s Zero Day Initiative, 92 of which were from Adobe—a number that's markedly higher than that of the second half of 2016. Enterprises need to balance their need for maintaining the infrastructure that drives their organizational operations, and the significance of securing them. Defense in depth provides layers of protection against threats that take advantage of security gaps. Some of the best practices to defend against these types of threats include:

Keep the system and its application updated, or consider virtual patching for legacy systems

Implement URL categorization, network segmentation, and data categorization

Enable and deploy firewalls as well as intrusion detection and prevention systems

Regularly back up data and ensure its integrity

Enforce the principle of least privilege

Secure the gateways, especially your email

Safeguard the tools used by your organization’s system administrators to deter hackers from misusing them

Create stronger patch management policies