New 0-day flaw in Flash Player used to install remote control tools
A new vulnerability in Flash allows you to install remote administration tools that allow you to take control of the target system. Adobe will run for cover, but the advice is to stop using Flash Player.
The security researchers of the Talos Group of Cisco Systems have identified a campaign of attacks carried out by a group of hackers already known but who showed a greater sophistication in its work with the exploitation of a 0-day flaw identified in Adobe Flash Player.
The critical vulnerability, cataloged as CVE-2018-4877, resides in the latest version of Flash Player, but Adobe has already stated that even versions prior to the current 28.0.0.137 may be afflicted by the same problem. The vulnerability was discovered last week when South Korea’s CERT issued a warning through which it notified the presence of an attack code in the network that could exploit the 0-day flaw and allow it to take full control of the machine infects by installing ROKRAT, a remote administration tool known to security experts since January 2017.
The exploit of the vulnerability was distributed using an Excel document that contains a compromised Flash object that, once activated, proceeds with the installation of ROKRAT. Talos observes that the group behind ROKRAT – called Group 123 – has already operated in the past using social ingengrie techniques or already known and incorrect vulnerabilities, but it is the first time that it operates using a 0-day vulnerability.
” Group 123 joins the criminal elite with the latest ROKRAT payload. The group exploited a 0-day vulnerability in Adobe Flash that was outside their previous abilities, which represents an important change in operations and a greater maturity of Group 123 that leads us to believe that they have a more skilled, highly motivated and sophisticated team, ” the Talos researchers write.
The activity of the group seems to be concentrated almost entirely on targets located in South Korea and, according to a post by Talos published last month, the members of Group 123 speak perfectly Korean and know well the region of the Korean peninsula. The group would seem to have links with North Korea, and a South Korean security researcher said in recent days that Flash vulnerability is ” made in North Korea “.
Despite the number of attacks able to take advantage of Flash Player of 0-day gap has been drastically reduced in the last two years, the risks posed by the Adobe media player are excessively high compared to the usefulness that most users can have. Adobe should release a corrective patch this week.
The advice is to uninstall and not use Flash Player and should you necessarily consult sites based on Flash, rely on Google Chrome that offers a special and integrated version of Flash Player protected by a sandbox environment.
