A couple days after Microsoft warned users about a new vulnerability in Internet Explorer that’s being used in targeted attacks, Adobe on Monday said that researchers have discovered a zero day in Flash, as well, which attackers are using to target victims in Syria through a watering hole attack on a compromised Syrian government site.
The Adobe Flash zero day was first identified in early April by researchers at Kaspersky Lab, who say that there are at least two separate exploits in use right now.
The site apparently was compromised in September and hasn’t been cleaned.
“Both the exploits detected by us spread from a site located at http://jpic.gov.sy/. The site was launched back in 2011 by the Syrian Ministry of Justice and was designed as an online forum for citizens to complain about law and order violations. We believe the attack was designed to target Syrian dissidents complaining about the government,” Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky Lab, wrote in an analysis of the Flash CVE-2014-0515 vulnerability.
“When we entered the site, the installed malware payloads were already missing from the “_css” folder. We presume the criminals created a folder whose name doesn’t look out of place on an administration resource, and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox.”
Adobe has issued a patch for the vulnerability, and is encouraging users on Windows and OS X to update immediately. The current attacks target Windows users, but that could change.
There are two exploits for the CVE-2014-0515 vulnerability, and Zakorzhevsky said that both exploits come in the form as unpacked video files. Kaspersky Lab first received the exploit samples in the second week of April, but data shows that customers first began seeing exploit attempts several days earlier.
“According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn’t detected using the same heuristic signature as the first, because it contained a unique shellcode,” Zakorzhevsky said.
“As is usually the case with this kind of exploit, the first stage is a heap spray – preparing the dynamic memory for exploitation of the vulnerability. The exploits are also designed to check the OS version – if Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used.”
One of the exploits searches for a specific Cisco extension that’s related to the company’s MeetingPlace software. If that extension isn’t present, the exploit won’t work.
“We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer,” Zakorzhevsky said.
Researchers believe that the operation and the exploits are likely the work of high-level attackers. At this point, Kaspersky Lab has only seen about 30 infection attempts using these exploits.
“It’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this,” Zakorzhevsky said.