Soon enough, they’ll be enjoying Newgrounds.
It seems Nort Korean hackers haven’t been resting on their laurels. They’ve found, and exploited, a flaw in Adobe Flash Player that allows them to steal files from computers. The exploit allows users to trigger remote code execution over a PC. And it affects every version of Adobe Flash Player currently available.
Adobe issued the following advisory:
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.
Adobe will address this vulnerability in a release planned for the week of February 5.
For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Mitigations
Beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content. For more details, see this administration guide.
Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.
According to Simon Choi, a director at the security firm Hauri, the attacks happened in mid-November, and targeted South Koreans who were researching North Korea.
Flash 0day vulnerability that made by North Korea used from mid-November 2017. They attacked South Koreans who mainly do research on North Korea. (no patch yet) pic.twitter.com/bbjg1CKmHh
— IssueMakersLab (@issuemakerslab) February 1, 2018
Cisco’s Talos group corroborated those findings on Friday. The exploit, which they’ve attributed to “Group 123”, exploits the vulnerability with rigged Microsoft Excel documents. Once the document is opened, they’re ale to take hold of the computer it was opened on.
Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0-day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group. Whilst Talos do not have any victim information related to this campaign we suspect the victim has been a very specific and high value target. Utilizing a brand new exploit, previously not seen in the wild, displays they were very determined to ensure their attack worked.
While Talos doesn’t definitively Group 123 to north Korea, they do know that the group is after high value targets. As of right now, Adobe is working to fix the issue as soon as possible. So maybe don’t open any strange emails.