Windows users attacked via critical Flash zero-day: Patch now, urges Adobe

June 8, 2018

Adobe has released an update to address a critical flaw affecting Flash Player that is actively being exploited, otherwise known as a zero-day flaw.

Adobe is urging users to update from Adobe Flash Player 29.0.0.171 to the patched version, 30.0.0.113. It also addresses three other flaws.

An exploit for the flaw, CVE-2018-5002, is stealthily delivered in emailed Excel attachments using a novel technique designed to minimize the risk of detection by antivirus and frustrate forensic analysis.

The flaw was discovered by researchers at security firms Iceberg and Qihoo 360 Core Security, which have provided separate analyses of the techniques.

Instead of embedding malicious Flash content directly in the Office document, which might be detected by analyzing its code, the Excel file calls in the Flash exploit from a remote server.

Iceberg notes that the remote inclusion helps evade detection because the document doesn’t contain any malicious code.

Remotely loading the malicious Flash object also allows the attacker to selectively serve exploits to targets based on IP address, or avoid non-targets based on a regional ISP, a cloud provider, or by security product.

After opening the malicious Excel document, it will request a malicious Shock Wave Flash (SWF) file that is downloaded from an attacker-created domain. The SWF file then requests encrypted data and decryption keys, which the attacker uses to open and run the Flash exploit.

Once the Flash vulnerability is triggered, the file requests malicious shell code from the remote server and executes it on the victim’s machine, which delivers a trojan that probably establishes a back door on the machine.

Iceberg notes the combined use of remote inclusion and public-key cryptography to conceal the exploit makes it extremely difficult for responders to analyze an infection.

All data transmitted from the attacker’s server to the target machine is shielded by a symmetric AES cipher, while the symmetric AES key is protected by an asymmetric RSA cipher.

“To decrypt the data payload, the client decrypts the encrypted AES key using its randomly generated private key, then decrypts the data payload with the decrypted AES key,” wrote Iceberg’s researchers. “The extra layer of public key cryptography, with a randomly generated key, is crucial here. By using it, one must either recover the randomly generated key or crack the RSA encryption to analyze subsequent layers of the attack.

“If implemented correctly, this renders packet capture in forensic analysis and automated security products ineffective. Furthermore, the decrypted data payloads will only reside in memory, challenging traditional disk forensics and non-volatile artifact analysis.”

According to CERT/CC analyst Will Dormann, Adobe’s patch for CVE-2018-5002 introduces a new prompt that warns users of potential security risks before loading remote content. Although the prompt looks like an Office prompt, the warning only appears after applying Adobe’s latest update, Dormann notes.

Microsoft’s advisory for Adobe’s latest update offers instructions for admins to prevent Flash Player from running in Office.

Additionally, the malicious Excel document was uploaded to Virus Total from an IP address in Qatar. And the Excel file’s Arabic language contents suggest the targets include anyone who would be interested in salaries at an embassy with pay details for secretaries, ambassadors, and diplomats.

ZD Net article

Sponsored Recommendations

Data: The Bedrock of Digital Engagement

Join us on March 21st to discover how data serves as the cornerstone of digital engagement in healthcare. Learn from Frederick Health's transformative journey and gain practical...

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...

Increase ROI Through AI: Unlocking Scarce Capacity & Staffing

Unlock the potential of AI to optimize capacity and staffing in healthcare. Join us on February 27th to discover how innovative AI-driven solutions can revolutionize operations...