APT Group Leverages Flash Zero Day

Thursday, June 16, 2016 @ 04:06 PM gHale


A Flash Player Zero Day vulnerability revealed earlier this week by Adobe is undergoing exploitation courtesy a new advanced persistent threat (APT) group, researchers said.

The APT group, called ScarCruft by Kaspersky Lab, is targeting Russia, Nepal, South Korea, China, Kuwait, India and Romania. Researchers said the group used two Flash Player and one Microsoft Windows vulnerabilities in its attacks.

RELATED STORIES
Exploit Kit Leverages Flash Zero Day
Adobe Fixes Connect Hole
Patched Flash Hole in Exploit Kit
Flash Zero Day Patched

The latest Flash Zero Day (CVE-2016-4171), which Adobe will patch this week, has been used by the group in a campaign dubbed “Operation Daybreak.” The campaign, launched in March 2016, focused on high-profile targets.

In a separate campaign conducted by ScarCruft, dubbed Operation Erebus, the attackers leveraged watering holes and an exploit for CVE-2016-4117, a Flash Player flaw reported to Adobe last month by researchers from FireEye. The vulnerability was undergoing exploitation before a patch released.

Kaspersky said ScarCruft could have also leveraged CVE-2016-0147, a Microsoft XML Core Services (MSXML) vulnerability that can end up exploited through Internet Explorer. Microsoft patched the flaw in April, but it appears to have suffered exploitation before a fix released.

Before a patch does come out, Microsoft EMET is effective at mitigating attacks.

Adobe informed customers on Tuesday that CVE-2016-4171 affects Flash Player 21.0.0.242 and earlier versions for Windows, Mac, Linux and Chrome OS. The company said successful exploitation of the flaw could lead to a crash and it could allow an attacker to take control of the vulnerable system.