A targeted zero-day attack on Russia centered around a bug in Adobe Flash Player, but carried on the back of a malicious “mule” document, prompting both Adobe and Microsoft to release patches.
The Zero-Day Attack on Russia: What Happened?
In the early hours of November 29, 2018, a professional questionnaire issued by a Russian medical clinic was detected in the wild and identified as an exploited file designed to run malicious code on its readers’ computers. The Microsoft Word document prompts its opener to run “embedded content” which, in turn, exploits a bug in Adobe Flash Player to occupy and control regions of memory intended for exclusive use by Flash Player (use-after-free).
The vulnerability, CVE-2018-15982, is a remote code execution in Adobe Flash. While Adobe Flash is a relatively obsolete web technology, its vulnerabilities can still be used via a crafted word document.
Speculation is split on the identity of the aggressor that originated the zero-day attack on Russia and distributed this malware. Although it bears some resemblance to software written by Hacking Team, all attributions to them have been muddled by the notorious leak of their source code in July 2015. Alternatively, the simple fact of the mule document being directly related to a Russian institution leads some to suspect Ukraine as the originator of the zero-day attack, due to the two nations’ public and ongoing strife.
How Have Adobe and Microsoft Responded?
Interestingly, Adobe was apparently made aware of this malware and how it impacts its product by several independent sources very shortly after the time of the zero-day attack. Qihoo discovered the malicious file on the same day that Gigamon reported the exploit to Adobe PSIRT.
Working quickly towards a fix, Adobe collaborated with Microsoft (the corporation’s operating systems are tightly coupled with Flash Player) to issue out-of-band (OOB) updates for their relevant products. This was achieved with a turnaround of less than a week, with updates from both Adobe and Microsoft live on December 5, 2018.
Despite the fact that this flaw — and another, less serious one that was revealed at the same time — is inherent in all previous versions of Flash Player, Microsoft has gone to lengths to create workarounds. Such workarounds disable Flash Player functionality altogether in Office, Internet Explorer and various Windows versions to help reduce the impact of the zero-day attack.
Considering the long history of security issues with Flash Player and the fact that each program deals with and must disable it separately, the same measure has also been recommended by other browsers. For example, Chrome’s browser support pages list several ways to abridge or confine Flash Player’s reach because “some websites might use Adobe Flash Player to harm your computer.”
What Should Skybox Customers Do?
This started as a targeted, zero-day attack on Russia, but we have previously seen exploits similar to this spread with ease to other places and organizations. So it’s important to ensure that your networks are secure either by patching Adobe Flash instances directly or by applying Microsoft’s patch.
Adobe Flash Exploit Delivering FINSPY to UN Member Countries: The BlackOasis threat actor is exploiting an Adobe Flash vulnerability to deliver the FINSPY spyware
Petya NotPetya? Ransomware NotRansomware? A day after the Petya attack outbreak, we’re left with a plenty of questions and a bit more insight