CVE-2018-15982 Adobe zero-day exploited in targeted attacks
Adobe released security updates for Flash Player that address two vulnerabilities, including a critical flaw, tracked as CVE-2018-15982, exploited in targeted attacks.
Adobe fixed two flaws including a critical use-after-free bug, tracked as CVE-2018-15982, exploited by an advanced persistent threat actor aimed at a healthcare organization associated with the Russian presidential administration.
The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player 188.8.131.52 for Windows, macOS, Linux, and Chrome OS.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer.” reads the security advisory published by Adobe.
“Successful exploitation could lead to Arbitrary Code Execution and privilege escalation in the context of the current user respectively.
Adobe is aware of reports that an exploit for CVE-2018-15982 exists in the wild.”
Adobe confirmed that it is aware of attacks exploiting the flaw in the wild.
Adobe has credited the following experts for reporting the CVE-2018-15982 flaw:
- Chenming Xu and Ed Miles of Gigamon ATR
- Yang Kang (@dnpushmen) and Jinquan (@jq0904) of Qihoo 360 Core Security (@360CoreSec)
- He Zhiqiu, Qu Yifan, Bai Haowen, Zeng Haitao and Gu Liang of 360 Threat Intelligence of 360 Enterprise Security Group
- independent researcher b2ahex
Attackers used decoy Word documents including Flash file with zero-day vulnerability. The Word document is included in a RAR archive with a JPG picture. When the Flash vulnerability is triggered, the malware extracts the RAT code embedded in the JPG picture.
“The attack strategy is very clever: Flash file with 0day vulnerability is inserted into decoy Word document which is compressed into one RAR file with a JPG picture. When Flash 0day vulnerability is triggered, it will extract out RAT from that JPG picture. Such trick aims to avoid detection of most security software. This RAT has same digital signature as one RAT which is very likely written by Hacking Team, latter was found August 2018. We believe that the new RAT is an upgrade version of Hacking Team’s RAT.” reads the analysis published by 360 the Enterprise Security Group.
“This vulnerability and exploitation code could be reused by cybercriminals even other APT groups for large-scale attacks, we would suggest users to take necessary protection, like applying latest Adobe Flash patch.”
Gigamon has also published a blog post describing the flaw and the attack, the experts pointed out that the decoy document in Russian language was submitted to VirusTotal from a Ukranian IP address. Qihoo 360 researchers observed the attack was launched just days after the Kerch Strait incident that occurred on November 25, when Russian Federal Security Service (FSB) border service coast guard boats fired upon and captured three Ukrainian Navy vessels that had attempted to pass from the Black Sea into the Sea of Azov through the Kerch Strait while on their way to the port of Mariupol.
“The vulnerability (CVE-2018-15982) allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system.” reads the post published by Gigamon.
“The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic. “
Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.
Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.
Qihoo 360 Core Security experts highlighted the similarities between this Flash zero-day with the CVE-2018-4878, which was first exploited by North Korea-linked APT group earlier 2018.