Adobe rushed out an unscheduled Flash Player update today to counter exploits of a zero-day vulnerability in the software.
A number of national security, foreign policy and public policy websites are hosting exploits that redirect to espionage malware, including the Peter G. Peterson Institute for International Economics, the American Research Center in Egypt and the Smith Richardson Foundation.
Those three nonprofit sites, researchers at FireEye said, are redirecting visitors to an exploit server hosting variants of the PlugX remote access Trojan. FireEye calls the campaign Operation GreedyWonk.
“This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues,” FireEye wrote in an advisory today. “The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.”
The hackers behind this campaign have resources that include access to Flash and Java zero-day exploits, FireEye said. They are targeting visitors who use these websites as a resource and those visitors are likely government or embassy employees who are at risk for data loss.
Adobe’s update today is for Flash Player 126.96.36.199 and earlier for Windows and Macintosh, and Flash 188.8.131.526 for Linux. CVE-2014-0502 has been assigned to this vulnerability. FireEye said that the exploit targets Windows XP users, as well as Windows 7 users running an unsupported version of Java (1.6) or out of date versions of Microsoft Office 2007 or 2010. The vulnerability enables someone to remotely overwrite the vftable pointer of a Flash object to redirect code execution.
The exploit is using the Adobe Flash vulnerability to bypass ASLR and DEP protections native to Windows. It does so by building or using hard-coded return-oriented programming chains in XP and Windows 7 respectively. Upgrading to the latest versions of Java (1.7) or Office will mitigate the threat, but not patch the underlying vulnerability, FireEye said.
“By breaking the exploit’s ASLR-bypass measures, they do prevent the current in-the-wild exploit from functioning,” FireEye said.
The hackers are installing the PlugX/Kaba RAT on infected computers; the sample FireEye reported was found on Feb. 13 and compiled the day before, an indication it was purpose-built for these targets. The RAT calls out to three command and control domains, one of which, wmi.ns01[.]us, has been used in other campaigns involving PlugX and the Poison Ivy RAT. Some of the older Poison Ivy samples were found in attacks involving Flash exploits and similar defense and policy websites, including the Center for Defense Information and another using a Java exploit against the Center for European Policy Studies.
Today’s out of band patch is the second one for Flash this month.