Adobe today released an out-of-band patch for a Flash Player zero-day vulnerability being used in targeted attacks by an APT gang known for its storehouse of exploits targeting unpatched browser-based vulnerabilities.
The group, named by FireEye as APT3 and responsible for the so-called Clandestine Fox operation, has been exploiting the latest Flash zero day since early this month via phishing emails targeting aerospace and defense, construction and engineering, high tech, telecommunications, transportation organizations.
Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.
Last year, targeted attacks were uncovered that used Internet Explorer zero days that worked against the browser as far back as IE 6 on Windows XP machines. The publicly known attacks, however, were used against IE 9-11 and targeted the defense and financial sectors. Microsoft addressed the problem with an out-of-band patch of its own.
The current iteration of Clandestine Fox attacks shares many traits with last year’s attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure, said Mike Oppenheim, FireEye intel operations manager.
Oppenheim said APT3, which has been linked to China based on the victim organizations and the types of data stolen from organizations, has been caught fairly early on in this campaign, but victims that were exploited before the availability of today’s patch remain at risk.
“Any time one of these groups is using a zero day and casting such a wide net, it’s pretty significant, especially since the activity started in early June and a patch was not released until today,” Oppenheim said. “That’s a big window, and possibly tons of victims affected.”
Oppenheim said FireEye privately notified Adobe two weeks ago.
“For victims that have been exploited, they are fast to move,” Oppenheim said. “If you’ve already been exploited, they are already moving along with lateral movement in the network, grabbing credentials and dropping more backdoors.”
APT3, Oppenheim said, targets intellectual property, in particular industrial types of information and documents from compromised systems. The use of spam-like phishing emails—most of the current campaign is using messaging related to discounted Apple devices—allows APT3 to target multiple people in the organization. The emails contain links to attacker-controlled websites where the Flash exploit is downloaded quietly onto a victim’s machine, as is the backdoor for moving data and dropping additional malware.
“With that, it only takes one person to click on the link to get access to the network,” Oppenheim said. “Unfortunately, there are still users who fall for this stuff.”
A report published today by FireEye explains that once a victim clicks on the link, they are redirected to a compromised server hosting JavaScript profiling scripts. Once the host is profiled, the malicious Flash file is downloaded. The Flash exploit, FireEye said, exploits the way Flash parses Flash Video files (FLV). The exploit bypasses memory-based protections such as address space layout randomization (ASLR), and it also uses return-oriented programming (ROP) to bypass data execution prevention (DEP).
“A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques,” FireEye explained in its report. “Shellcode is stored in the packed Flash exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.”
In May 2014, Microsoft was forced to release an out-of-band patch for Internet Explorer to counter then-active attacks against a zero day used by APT3. Organizations in the defense, financial, government and energy sectors were targets in those campaigns; a remote access Trojan known as Pirpi was being dropped on machines, according to Kaspersky Lab.