Adobe has patched a zero-day vulnerability used by the BlackOasis APT to plant surveillance software developed by Gamma International.
On Monday, researchers from Kaspersky Lab revealed the new, previously unknown vulnerability which has been actively used in the wild by advanced persistent threat (APT) group BlackOasis.
Originally discovered by Kaspersky’s Anton Ivanov, the flaw, CVE-2017-11292, is a critical type confusion vulnerability that could lead to code execution on Windows, Mac, Linux and Chrome OS systems.
In a security advisory, Adobe said Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 are affected by the vulnerability.
An exploit utilizing the flaw is delivered through a malicious Microsoft Word document which then installs the FinSpy commercial malware, which is a highly sophisticated system used by governments worldwide to monitor the activities of people of interest — whether criminals, activists, or journalists.
The malware is able to monitor communication software such as Skype, eavesdrop on video chats, log calls, view and copy user files, and more.
Kaspersky detected the zero-day in use in an attack on Windows machines on 10 October by BlackOasis but says that as the latest version of FinSpy is being installed, forensic analysis is difficult.
“In the past, use of the malware was mostly domestic, with law enforcement agencies deploying it for surveillance on local targets,” Kaspersky says. “BlackOasis is a significant exception to this — using it against a wide range of targets across the world.”
“This appears to suggest that FinSpy is now fuelling global intelligence operations, with one country using it against another,” the team added. “Companies developing surveillance software such as FinSpy make this arms race possible.”
The security researchers were able to establish that FinSpy, once installed, connects to command-and-control (C&C) servers in Switzerland, Bulgaria, and the Netherlands. The team says that BlackOasis is interested in those involved in Middle Eastern politics, the UN, bloggers, and activists, as well as media.
Victims of the APT have been spotted in countries including Russia, Iraq, Afghanistan, Nigeria, Libya, and Angola, but the groups’ interests are hard to pin down beyond politics — spanning across everything from oil to money laundering and think tanks.
In a blog post, the cybersecurity firm said it believes the group is also responsible for the exploit of CVE-2017-8759, a bug within the Microsoft .NET Framework which allowed attackers to perform remote code execution that was discovered in September.
Kaspersky believes that the APT group has utilized at least five zero-day vulnerabilities in targeted attacks since June 2015.
“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Ivanov. “Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero-day exploits such as the one described here, will continue to grow.”
As the zero-day is in active use, businesses and consumers alike should immediately apply Adobe’s latest security fix to stay safe.
This is not the only serious vulnerability to hit the news this week. On Monday, researchers revealed the existence of a severe flaw in the WPA2 Wi-Fi protocol, called KRACK, which exposes millions of devices to the risk of eavesdropping.