Yesterday, Adobe released a new update for Flash Player to address an actively exploited flaw (CVE-2017-11292) that is being used by the hacking group Black Oasis to deliver FinSpy malware.
Finspy is not malware as such, it is a legitimate software program developed by the German software company Gamma International. However, its capabilities include many malware-like functions.
As the name suggests, FinSpy is surveillance software that is used for espionage. The software has been extensively used by governments and law enforcement agencies to gather intelligence on criminal organizations as well as foreign governments. It would appear that Black Oasis is targeting military and government organizations by leveraging this Adobe zero-day flaw to deliver FinSpy malware.
So far, Black Oasis has used the Adobe Flash Player zero-day flaw to conduct at least one FinSpy malware attack. That attack was detected by anti-virus firm Kaspersky Lab, which alerted Adobe to the flaw.
CVE-2017-11292 is a memory corruption vulnerability which was exploited via spam email using a Word document with an embedded Active X object containing the Flash exploit. While this attack involved FinSpy malware, the attack method could be used to deliver any number of different malware and ransomware variants.
Adobe reports that the vulnerable versions of its Flash Player are 220.127.116.11 for Windows, Mac, Linux, and Google Chrome and 1127.0.0.130 for Internet Explorer 11 (Windows 8.1 and 10) and Microsoft Edge. To protect systems against attack, Flash should either be disabled, removed, or updated to the latest version – v18.104.22.168.
According to Kaspersky, which has been tracking Black Oasis attacks, the hacking group’s previous targets have been based in Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, Nigeria, Russia, Saudi Arabia, the Netherlands, Tunisia, and the United Kingdom. Black Oasis have been using at least 5 different zero-day exploits.
While Black Oasis is targeting the military, governments, and political figures and activists, now that news of the update has been released, it is likely that other players will attempt to exploit the flaw and use it to deliver malware to businesses and consumers. It is therefore essential that the patch is applied to keep systems secure.