Kaspersky Lab, which has been under fire by the U.S. government as possibly being an agent of the Russian government and spying on U.S. computers, has found a previously unknown bug in Adobe Flash that was apparently exploited by a hacker group on October 10. Adobe issued a patch to fix the bug today.
According to Kaspersky, "the exploit is delivered through a Microsoft Word document and deploys the FinSpy commercial malware." The company worked with Adobe to get a patch ready as quickly as possible, with Adobe releasing it a few hours ago. Users and agencies running the following versions of Adobe Flash will need to update immediately, as the vulnerability has been labeled as critical:
- Adobe Flash Player Desktop Runtime, version 18.104.22.168 for Windows, Macintosh
- Adobe Flash Player for Google Chrome, version 22.214.171.124 for Windows, Macintosh, Linux and Chrome OS
- Adobe Flash Player for Microsoft Edge and Internet Explorer, version 1127.0.0.130 for Windows 10 and 8.1
- Adobe Flash Player Desktop Runtime, version 126.96.36.199 for Linux
The patch updates all versions of Adobe Flash to version 188.8.131.52.
Kaspersky detailed exactly how the exploit worked:
Analysis reveals that, upon successful exploitation of the vulnerability, the FinSpy malware (also known as FinFisher) is installed on the target computer. FinSpy is a commercial malware, typically sold to nation states and law enforcement agencies to conduct surveillance. In the past, use of the malware was mostly domestic, with law enforcement agencies deploying it for surveillance on local targets. BlackOasis is a significant exception to this – using it against a wide range of targets across the world. This appears to suggest that FinSpy is now fuelling global intelligence operations, with one country using it against another. Companies developing surveillance software such as FinSpy make this arms race possible.
The malware used in the attack is the most recent version of FinSpy, equipped with multiple anti-analysis techniques to make forensic analysis more difficult.
After installation, the malware establishes a foothold on the attacked computer and connects to its command and control servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data.
The company said it has identified BlackOasis targets in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom, and Angola.
“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab, and the individual who reported the exploit to Adobe. “Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero-day exploits such as the one described here, will continue to grow.”
A zero-day exploit is one that was previously unknown to the software creator or those seeking to stop an exploit from happening.
Kaspersky and Adobe are old friends when it comes to zero-day vulnerability fixes. Last year. the lab found three different exploits in consecutive months. So be sure to update your system to the latest version of Flash if you use the software.