An increasingly sophisticated hacking group is exploiting a zero-day vulnerability in Adobe’s Flash Player that lets them take full control of infected machines, researchers said Friday.
The critical, use-after-free vulnerability, which is indexed as CVE-2018-4877, resides in the latest version of the widely installed Flash, researchers from Cisco Systems’ Talos group said in a blog post. Adobe said separately that versions earlier than current Flash 220.127.116.11 are also susceptible. The vulnerability came to light on Wednesday when South Korea’s CERT issued an advisory warning that attack code was circulating in the wild that exploited the zeroday flaw.
Talos said the exploit is being distributed through a Microsoft Excel document that has a malicious Flash object embedded into it. Once the SWF object is triggered, it installs ROKRAT, a remote administration tool Talos has been tracking since January 2017. Until now, the group behind ROKRAT—which Talos calls Group 123—has relied on social engineering or exploits of older, previously known vulnerabilities that targets hadn’t yet patched. This is the first time the group has used a zeroday exploit.
“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT,” Talos researchers Warren Mercer and Paul Rascagneres wrote in Friday’s post. “They have used an Adobe Flash 0day which was outside of their previous capabilities—they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”
Group 123 has focused almost entirely on infecting targets located in South Korea. According to this post Talos published last month, Group 123 members speak perfect Korean and are thoroughly familiar with the Korean Peninsula region. Talos has stopped short of saying the group has ties to North Korea, but a South Korean security researcher tweeted Thursday that the Flash exploit was “made by North Korea.” The researcher didn’t respond to questions seeking more details.
While the number of in-the-wild attacks exploiting Flash zerodays has dropped significantly over the past year or two, the risk posed by the Adobe media player remains unacceptably high relative to the benefit it provides most users. And now that word of the vulnerability is circulating, it wouldn’t be surprising for other groups to use it against a much wider audience.
Ars has long advised readers to uninstall the Flash app from their computers. For people who rely on sites that require Flash, Google’s Chrome browser provides a customized version of the player that’s protected by a security sandbox and can be turned on for specific sites. Adobe said it plans to release a patched version of Flash the week of February 5.
This post was updated to correct the time frame Adobe gave for fixing the flaw.