On Wednesday, December 5, 2018, Adobe issued an update to correct a vulnerability in Adobe Flash Player. The vulnerability had been identified in late November by Gigamon, held network visibility and traffic monitoring technology vendor.
Qihoo 360, a Chinese internet security company, recently discovered an advanced persistent threat campaign that was exploiting the vulnerability in Adobe’s software. The vulnerability was being exploited by a threat group in targeted attacks in Russia. The threat group is known to have attacked a Russian state healthcare clinic.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS,” Adobe said in its release. “These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer. Successful exploitation could lead to arbitrary code-execution and privilege-escalation in the context of the current user respectively.”
The vulnerability is being exploited using a specially crafted Word document which is being distributed using a spear phishing campaign. The campaign is highly targeted; however, it is possible that other threat groups may attempt to exploit the same vulnerability in larger, less-targeted campaigns. Evidence of such attacks is yet to be found.
The spear phishing campaign used social engineering techniques to fool the recipient into opening a malicious Word document that masqueraded as an employee questionnaire. The document was sent as a .rar attachment to the email, with the compressed file containing the document, the exploit, and the payload. The Word document contained a malicious Flash Active X control in the header.
Upon opening the document, the user is presented with a Microsoft Office warning that the document may be harmful to the computer. If the content is enabled, malicious code will be executed, the vulnerability will be exploited, and the attacker will gain command line access to the user’s system.
The payload, called backup.exe masquerades as an NVIDIA Control Panel application with a matching icon and (stolen) certificate. If the payload is executed, system information will be collected which will be sent back to the attacker’s remote server via HTTP POST. Shell code will also be downloaded and run on the infected device.
The vulnerability, tracked as CVE-2018-15982, is present in version 18.104.22.168 and all earlier versions of Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Versions 22.214.171.124 and earlier of Adobe Flash Player Installer also have the vulnerability.
Users are advised to update to version 126.96.36.199 (Version 188.8.131.52 of Adobe Flash Player Installer) as soon as possible. The update also fixes the Insecure Library Loading (DLL hijacking) privilege escalation vulnerability CVE-2018-15983.