After Patch, APT’s Still Hit

Friday, May 25, 2012 @ 11:05 AM gHale

Installing patches continues to be an issue and a perfect example comes from a fixed bug in Adobe’s Flash product that attackers are still successfully exploiting.

These advanced persistent threats take advantage of the vulnerability, identified as CVE-2012-0754. Adobe patched the hole in February. But new attacks targeting unpatched systems are still circulating, according to a report from Xecure Lab, which found attackers are continuing to refine their technique even months after Adobe issued a patch for the hole.

Adobe Mac Updates Silenced
Critical Flash Player Hole Closed
Adobe Patches Flash Player, Again
Adobe Patches ColdFusion Flaw

The vulnerability in question is a remote code execution bug that affects versions of Flash running on a number of platforms, including Windows, Linux, Solaris and Android. Xecure said it detected a variant of the “SB” family of Trojan installed in attacks that leverage the Flash bug.

Independent analysis on another PDF also targeted the vulnerability by researcher Brandon Dixon revealed ties to a series of targeted attacks dating to March and a separate attack in late April.

The malware used in that attack was similar to a family identified by Symantec as “Barkiofork” and Trojan.ADH.2, though the final analysis is not in, Dixon said. The malware used a PDF document on “Understanding Blood Tests Without a Medical Degree” and connected to a remote command and control server and relayed information from the infected host.

This isn’t the first time that attackers have taken advantage of the Flash vulnerability.

In March, security researchers recovered email messages containing malicious Word for Windows document attachments that exploited the Flash vulnerability with a malicious MP4 pulled from a server controlled by the attacker. However, the latest attacks improve upon the March attacks by using a malicious PDF instead of a Word document and bundling the MP4 file that exploits the vulnerability in the PDF, Xecure said.

Leave a Reply

You must be logged in to post a comment.