A hacking group has been exploiting a zero-day vulnerability in Flash Player. This vulnerability lets them control infected machines.
Adobe is aware of the high risk and has declared that they will come with a fix for this issue next week.
This vulnerability is indexed as CVE-2018-4877 and it exists in the latest version of Flash. This issue has been made public by the researchers from Cisco Systems’ Talos group. Adobe stated that earlier versions than the current v. 188.8.131.52 might also be vulnerable.
On 31 January, South Korea’s CERT has warned that the attack code started circulating in the wild and that it was exploiting the zero-day flaw.
This exploit is a use-after-free vulnerability and Talos said that it can be distributed through a Microsoft Excel document, which contains a Flash object embedded into it. The SWF object is malicious and as soon as it is triggered, it will install a remote administration tool called ROKRAT. Talos has been tracking ROKRAT since January last year.
The group that works behind ROKRAT, called Group 123 by Talos, has so far used older vulnerabilities that haven’t been patched by their targets or social engineering. As for the zero-day exploit, it’s the first time they’ve used it.
In a post released on 2 February, researchers Warren Mercer and Paul Rascagneres from Talos admitted that with the use of the zero-day vulnerability, the ‘Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT’. It seems that this vulnerability was ‘outside of their previous capabilities’, the researchers said, making the hacker group more of a threat, now that they are ‘a highly skilled, highly motivated and highly sophisticated group’.
So far, Group 123 has focused on targets from South Korea. They speak perfect Korean and are familiar with the Korean Peninsula region, according to the post published by Talos last month.
It is not known if the Flash exploit was ‘made by North Korea’, as a South Korean security researcher tweeted a few days ago.
These last few years have seen a small number of attacks using the Flash zerodays, but now that the vulnerability has been made public, other groups might use it in other countries, against a wider audience.
Protect your machines from incoming attacks by uninstalling Flash app from your PCs and using Google Chrome that protects users through their sandbox that can be turned on for sites you choose.
Adobe will release a patched version of the Flash Player on February 5.