Adobe Patches Flash Zero-Day Used by BlackOasis APT

CERT-LatestNews ThreatsStrategic

Flash Player logo

Last week, Adobe claimed it wouldn’t release security updates for the first time since July 2012 because it had nothing to patch.

Less than six days later, the company released a critical update for Flash Player that fixes a zero-day vulnerability exploited in live attacks.

The zero-day, CVE-2017-11292, is a “type confusion” that leads to remote code execution on targeted systems.

The issue affects Flash Player on Windows, Linux, macOS, and Chrome OS. Adobe fixed the vulnerability in Flash Player version

Zero-day spotted by Kaspersky Lab researchers

The vulnerability was spotted in the wild by Anton Ivanov of Kaspersky Lab. According to Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, the vulnerability was found in campaigns carried out by BlackOasis.

BlackOasis is a codename Kaspersky researchers gave to an advanced persistent threat (APT, cyber-espionage group) they believe to be operating out of a Middle Eastern country and employing a spying (“lawful surveillance”) toolkit named FinSpy, sold by UK firm Gamma Group International.

This is not the first time BlackOasis used a Flash Player zero-day to attack targets. The group also used CVE-2017-8759 in September 2017, CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015.

“The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye,” said Raiu in a report published minutes after the Flash Player security alert.

The expert says Kaspersky has been tracking the APT since May 2016, when they first became aware of it thanks to the CVE-2016-4117 Flash zero-day.

Spear-phishing campaign distributes Office docs with Flash 0-day

The recent attacks leveraging today’s zero-day sent malicious Office documents to victims, which came with an embedded ActiveX object that contained the Flash CVE-2017-11292 exploit.

In this particular campaign, attackers downloaded and ran a file named mo.exe, which was the FinSpy spyware in disguise.

Kaspersky did not offer information about this campaign’s particular targets. BlackOasis has previously targeted figures involved in Middle Eastern politics, such as prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents.

The group’s operations were active in countries such as Iraq, Afghanistan, Bahrain, Jordan, Saudi Arabia, Iran, Netherlands, United Kingdom, Russia, Nigeria, Libya, Tunisia, and Angola.