Adobe has issued a new update for Flash Player to tackle an actively exploited flaw (CVE-2017-11292) that is being used by the hacking group Black Oasis to send out FinSpy malware.
Finspy is not malware as you would expect, it is a legitimate software program developed by the German software company Gamma International. However, its capabilities include a variety of malware-like functions.
As the name implies, FinSpy is surveillance software that is employed for espionage. The software has been extensively deployed by governments and law enforcement agencies to collect intelligence on criminal organizations as well as foreign governments. It seems that Black Oasis is targeting military and government organizations by leveraging this Adobe zero-day weakness to deliver FinSpy malware.
To date, Black Oasis has used the Adobe Flash Player zero-day flaw to complete at least one FinSpy malware attack. That attack was discovered by anti-virus firm Kaspersky Lab, which made Adobe wise to the flaw.
CVE-2017-11292 is a memory corruption vulnerability which was exploited via spam email using a Word document with an embedded Active X object including the Flash exploit. While this cyberattack involved FinSpy malware, the attack style could be used to broadcast any number of different malware and ransomware variants.
Adobe has revealed that the vulnerable versions of its Flash Player are 22.214.171.124 for Windows, Mac, Linux, and Google Chrome and 1127.0.0.130 for Internet Explorer 11 (Windows 8.1 and 10) and Microsoft Edge. To protect systems against cyberattack, Flash should either be turned off, removed, or updated to the most recent version – v126.96.36.199.
Kaspersky, which has been tracking Black Oasis attacks, has announced that the hacking group’s previous targets have been based in Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, Nigeria, Russia, Saudi Arabia, the Netherlands, Tunisia, and the United Kingdom. Black Oasis have been utilizing at least 5 different zero-day exploits.
While Black Oasis is focused on the military, governments, and political figures and activists, now that reports that the update has been issued, it is likely that other players will try to exploit the flaw and use it to broadcast malware to businesses and consumers. It is therefore vitally important that the patch is applied to keep systems safe from attack.