Adobe Flings Flash Fix for Fresh APT Target'Operation Daybreak' Zero-Day Attacks Trigger Emergency Flash Update
Security experts are once again warning enterprises to immediately update - or delete - all instances of the Adobe Flash Player they may have installed on any system in the wake of reports that a zero-day flaw in the web browser plug-in is being targeted by an advanced persistent threat group.
The attacks first came to light earlier this week, when Adobe issued an alert that a previously unknown flaw in Flash, designated CVE-2016-4171, was being exploited "in limited, targeted attacks." The bug exists in Adobe Flash Player 220.127.116.11 and earlier versions - running on Windows, Mac, Linux, and Chrome OS - and "successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."
Adobe on June 16 then released an updated version of Flash that patches 36 separate vulnerabilities, including CVE-2016-4171.
"Pay close attention to the release and address as quickly as possible," says Wolfgang Kandek, CTO of cloud security firm Qualys, in a blog post, adding that these attacks are another excellent reason to be running Microsoft's freeware Enhanced Mitigation Experience Toolkit on all Windows systems. "If you have EMET on your systems you are protected," he says (see 5 Secrets to Security Success).
APT Attackers Target Fresh Flaw
The CVE-2016-4171 flaw was discovered and reported to Adobe by Kaspersky Lab researchers Costin Raiu and Anton Ivanov. The researchers say they spotted related exploits earlier this month, and that they appear to be part of a spear-phishing campaign, dubbed Operation Daybreak, that launched in March, and which has amassed at least two dozen high-profile victims. Kaspersky Lab says it's code-named the "relatively new APT group" behind the attacks "ScarCruft."
"Victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania," the researchers say. "The group has several ongoing operations, utilizing multiple exploits - two for Adobe Flash and one for Microsoft Internet Explorer."
The researchers say that the group may also have been exploiting another zero-day Flash flaw, CVE-2016-0147, which Adobe patched in April, and that the group has also been associated with the so-called "Operation Erebus" attacks that used watering-hole attacks to distribute another Flash Player exploit, CVE-2016-4117, which was patched by Adobe in May (see Zero-Day Attacks Pummel IE, Flash).
For Operation Daybreak, it's not yet clear how the APT group has been exploiting victims. "Although the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a hacked website where the exploitation kit is hosted," the researchers say. For the second stage of the attack, however, some victims have been seeing a document, named "china.pdf," that the researchers say is written in Korean and which details "disagreements between China and 'the North' over nuclear programs and demilitarization."
Caution or Kudos for Adobe?
The latest warning over this campaign reinforces just how often APT attackers target Flash, thus making a potential business case for banning it for inside the enterprise. "This is the third month in a row that we are seeing a zero-day in Flash, making it most certainly the most targeted software on your organization's endpoints," Kandek says (see Emergency Flash Patch Battles Ransomware).
That may be true, although Kaspersky Lab reports that for 2015, four percent of all attacks it observed targeted Flash, which technology-wise took second place to Java, which was targeted in 14 percent of all attacks. But whether Flash comes first or second in hackers' hit list, the takeaway is that it's still a cheap and attractive target, since it can allow them to quickly and easily exploit millions of vulnerable PCs via highly automated attacks.
But Kaspersky Lab researchers Raiu and Ivanov, in their blog post on the Operation Daybreak attacks, contend that Adobe has been doing a good job of quickly patching flaws as they come to light, thus making related attacks more difficult to execute. "Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a sandbox bypass exploit, which makes them rather tricky," they say. "Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult. Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets."
Unless users keep their Flash Player updated to the very latest version, however, Adobe's fast fixes are for naught, since their endpoints will remain easy pickings for any attacker, be they an APT group or cybercrime toolkit subscriber. As a partial defense, security experts have long urged users to at least enable "click to play" in Flash, so that attackers can't force Flash to launch and then remotely take control of PCs running vulnerable versions of the software (see 2016 Resolution: Ditch Flash).