Flash Vulnerability Gave Chinese Hackers Free Access to Networks

adobe vulnerabilityThe Chinese hacker group APT3 is known in the security industry for their previous, large-scale attacks. The group’s last big campaign, dubbed Operation Clandestine Fox, was a smashing success that relied on something most people visiting this website will find absurd: people using Internet Explorer.

As of that time, as much as 25% of people on the Internet were still using the notoriously insecure browser. Indeed, large organizations still use Explorer, and these are the kinds of targets that APT3 goes after. Now, in a potentially much bigger attack called “Operation Clandestine Wolf,” APT3 has found a vulnerability in Adobe Flash Player which allows it essentially unlimited access via a simple link embedded in a spear phishing e-mail. Such a link would be structured as such: hxxp://<subdomain>.<legitdomain>.<TLD>/<directory>/<alphanumericID>.html

Ultimately, a GIF file that was carefully layered and packaged would be executed, and after it had sneaked past, the malware would be unpacked and executed. After this point, lots of digital jiu-jitsu would take place, all with the purpose of gaining full access to the network. The attack is being taken very seriously because of the industries the phishing attacks seem to have targeted: aerospace, defense, telecommunications, and transportation among others. All of these industries play a vital role in the national defense of any country, and the United States is no exception.

One of the interesting things about this attack is its complexity. Prior to the malware being downloaded, for instance, the machine visiting the link would be profiled by a set of Javascripts at an attacker-owned server. This is helpful to the attackers for two reasons: one, it helps them to keep the size of the malware small, since they can send a specific version to each system, rather than have a one-size-fits-all model that goes to all systems. Two, it gives them some metrics on the scope of their infiltration. In one case documented by FireEye, the group had used false advertising for older iMac hardware that supposedly included the same warranty as new models.

Also read: Yet Another Adobe Flash Zero-Day Vulnerability

Adobe has Patched the Vulnerability

Adobe released a patch for Flash Player, which closed the vulnerability within days of learning of it. This does not necessarily mean that those who’ve installed the patches have not already been infected. An ongoing attack could be taking place at various organizations in very important industries, with intellectual property and sensitive communications being retrieved wholesale by the group.

Not to mention credentials that are valid in other areas of those industries. All organizations which allow the use of Flash player on their network are advised to both update Flash player and to run as many diagnostics as possible on the network, specifically looking for evidence of unauthorized access.

It seems that several times per year Flash Player is turned into an open gate for hackers with a bad agenda. With the introduction of HTML5, Flash became largely unnecessary, but it has not yet reached the point where a user can have a seamless web experience without it. However, organizations which do not directly require Flash Player are encouraged to move away from it altogether. The same goes for all unneeded software, though, as a general security principal.



Website: http://phm.link

P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at http://ico.phm.link