Recent reports have unveiled the resurgence of FinSpy, a notorious surveillance malware, which is now targeting high-profile users via a fresh Adobe Flash zero-day exploit embedded within Microsoft Office documents. This significant threat was uncovered by security experts from Kaspersky Labs, who identified a vulnerability in Adobe Flash that is currently being exploited by a sophisticated group of threat actors known as BlackOasis.
The newly disclosed vulnerability, categorized as CVE-2017-11292, presents a critical type confusion flaw that potentially allows remote code execution. It specifically impacts Flash Player version 21.0.0.226 across various platforms, including Windows, macOS, Linux, and Chrome OS. This vulnerability is particularly alarming as it represents a heightened risk to business environments, where such software may be widely employed.
Notably, BlackOasis is the same group linked to exploiting a previous zero-day vulnerability, CVE-2017-8759, identified by FireEye researchers in September 2017. The command and control servers utilized in the recent attacks leveraging CVE-2017-11292 mirror those previously associated with CVE-2017-8759, underscoring a persistent threat landscape for organizations reliant on these technologies.
The targets of these attacks span multiple nations, including Russia, Iraq, Afghanistan, Nigeria, and several other countries, exposing the international reach of BlackOasis. This latest incident marks at least the fifth zero-day exploit reportedly used by this group since June 2015, highlighting their sustained focus on penetrating advanced security defenses.
Delivers of the exploit occur primarily through Microsoft Word documents attached to phishing emails. Within these documents resides an ActiveX object designed to exploit the Flash vulnerability. Once activated, this exploit deploys the FinSpy malware as the primary payload, allowing attackers to gain extensive access to the victim’s system.
According to Kaspersky researchers, the Flash object in these documents leverages an ActionScript crafted for extracting the exploit using a specialized packer seen in prior FinSpy campaigns. Once on the system, FinSpy’s capabilities include live surveillance via webcams and microphones, logging keystrokes, intercepting calls on platforms like Skype, and stealing sensitive files, posing grave risks to both organizations and individuals alike.
The planning involved in this attack aligns with the MITRE ATT&CK framework, specifically tactics such as initial access through phishing, persistence via malware installation, and privilege escalation once the exploit is successful. This structured approach underscores the systematic nature of malware deployment within enterprise environments.
In light of these findings, Kaspersky reported the vulnerability to Adobe, prompting the release of patches in versions 27.0.0.159 and 27.0.0.130 of Adobe Flash Player. Organizations globally are urged to implement these updates without delay. Furthermore, Microsoft is expected to release a security patch for the Flash Player components utilized in their products, reinforcing the critical need for businesses to maintain updated security protocols.
As businesses become increasingly aware of these risks, proactive measures to secure systems against such vulnerabilities are imperative. The potential for exploitation through well-crafted phishing emails remains a salient threat, necessitating the vigilant updating of software and employee training on recognizing suspicious communications. In a rapidly evolving cybersecurity landscape, the vigilance of organizations will be crucial in mitigating these types of attacks.