Posted on February 5, 2018 at 10:12 AM
Hackers in the Korean peninsula are using a zero-day vulnerability in Adobe Flash player to take full control of user systems.
Adobe Flash player is widely popular as the most vulnerable software people have on their systems. Over the past few years, many vulnerabilities in Flash has led researchers to request users to uninstall Flash app from their systems altogether. When you thought things had gone quiet, a new zero-day vulnerability is being used by a group to take control of user systems.
Cisco Systems’ Talos group said that CVE-2018-4877 is being actively used by a group that is targeting users mostly in the Korean peninsula. Talos said that the group has a history of using Adobe exploits and vulnerabilities to target users. However, their report said that this is the first time Group 123 is using a net zero-day vulnerability to orchestrate an attack. They went on to say that Group 123’s newest attack shows their intent and the fact that they are growing and becoming a force to reckon.
This new vulnerability is present in Adobe Flash 18.104.22.168, which is the latest version of Flash. However, researchers have warned that older versions are just as susceptible to this attack as the latest version. The attack code that is in circulation comes inside a Microsoft Excel file. The malicious flash object inside this file is triggered and installs ROKRAT which is a remote administration tool. Talos researchers have been tracking ROKRAT for more than a year now, and they have a full history of Group 123 and their mode of operation.
Most of their activity is restricted in the Korean peninsula, with targets primarily belonging to South Korea. Talos researchers also say that Group 123 members all speak perfect Korean and know the region inside out. But Talos did not comment on whether this group belongs to North Korea. This news was given by a South Korean researcher via Twitter, stating that this Flash exploit is a North Korean product. But he refused to entertain any questions regarding his statement, so rumor and speculation is all that we have got.
Flash 0day vulnerability that made by North Korea used from mid-November 2017. They attacked South Koreans who mainly do research on North Korea. (no patch yet) pic.twitter.com/bbjg1CKmHh
— Simon Choi (@issuemakerslab) February 1, 2018
This attack highlights the weakness of Adobe Flash and just how vulnerable it makes user systems to targeted attacks. A lot of incidents have happened in recent years where users were terribly affected because of an Adobe Flash exploit. While the company tries its best to patch the flaws, new ones are coming up with alarming frequency. Adobe said that it would patch this zero-day vulnerability this week, but researchers are once again asking users to stop using Flash app on their systems altogether.
If you use a website or service that requires Flash, you can instead use Google Chrome’s customized version of Flash. This runs in a security sandbox to prevent your system from infections, and you can choose to turn it off for specific websites. While the patched version will be out by February 5, you should instead stop using the app to protect yourself from future problems.