Last week software giant Adobe issued a new patch for Flash Player to address an actively exploited weakness (CVE-2017-11292) that is being targeted by the hacking group Black Oasis to install FinSpy malware.
Finspy is strictly not defined as malware, it is a legitimate software program developed by the German software company Gamma International. However, it can be used for many purposes including many malware-like functions.
FinSpy is surveillance software that is used for spying. The software has been widely used by governments and law enforcement agencies to obtain intelligence on criminal groups as well as foreign governments. It seems that Black Oasis is focusing on military and government groups by leveraging this Adobe zero-day flaw to deliver FinSpy malware.
To date, Black Oasis has used the Adobe Flash Player zero-day flaw to complete at least one FinSpy malware attack. That attack was discovered by anti-virus firm Kaspersky Lab, which alerted Adobe to the flaw.
CVE-2017-11292 is a memory corruption weakness which was exploited via spam email using a Word document that held an embedded Active X object containing the Flash exploit. While this attack used FinSpy malware, the attack method could be used to implement any number of different malware and ransomware variants.
Adobe says that the versions of its Flash Player that could be exploited are 220.127.116.11 for Windows, Mac, Linux, and Google Chrome and 1127.0.0.130 for Internet Explorer 11 (Windows 8.1 and 10) and Microsoft Edge. To safeguard systems against attack, Flash should either be turned off, taken off or updated to the most recent version – v18.104.22.168.
Kaspersky, which has been monitoring Black Oasis attacks, believes the hacking group’s previous targets have been located in Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, Nigeria, Russia, Saudi Arabia, the Netherlands, Tunisia and the United Kingdom. Black Oasis have been employing at least 5 different zero-day exploits.
While Black Oasis is focusing on the military, governments and political figures and activists, now that news of the update has been issued, it is likely that other individuals will try to exploit the flaw and use it to deliver malware to businesses and consumers. It is crucial that that the latest patch is downloaded to keep systems secure.