Attackers are exploiting a critical vulnerability in Adobe's widely used Flash Player, and Adobe says it won't have a patch ready until later this week.
The active zero-day exploit works against the most recent Flash version 22.214.171.124 and was detected earlier this month by researchers from antivirus provider Kaspersky Lab, according to a blog post published Tuesday by Costin Raiu, the director of the company's global research and analysis team. It's being carried out by "ScarCruft," the name Kaspersky has given to a relatively new hacking group engaged in "advanced persistent threat" campaigns that target companies and organizations for high-value information and data. Raiu wrote:
ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits—two for Adobe Flash and one for Microsoft Internet Explorer.
Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.
We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor.
The currently unfixed vulnerability is indexed as CVE-2016-4171. Adobe's bare-bones advisory is here.
Windows users woke up to something that doesn't happen every day: the disclosure of two zero-day vulnerabilities, one in the Microsoft operating system and the other in Adobe's Flash Player.
The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites. In the days or weeks leading up to Tuesday, it has been exploited in targeted attacks on South Korean websites, according to a blog post published by security firm Symantec. Technically, the vulnerability resides in the JScript and VBScript engines, but IE is the vehicle used to exploit it.
Separately, Adobe officials warned that a newly discovered Flash vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild. Adobe said it planned to release an update as soon as Thursday.
Adobe has rushed out a Flash update to plug a security hole spotted by infosec researchers, who warned that Windows 10 users of the software may have been exposed to the flaw for more than a week.
Ne'er-do-wells could exploit the flaw by sending ransomware to Windows 10 machines. Adobe said its updates addressed critical vulnerabilities in Flash, and advised users to install the latest version of the software. It said in a security bulletin:
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 126.96.36.1996 and earlier.
Researchers at Proofpoint—which has a good explainer of the flaw here—worked with other infosec folk to track down the latest security hole in Flash that could be exploited by attackers with a type of ransomware dubbed "Cerber." The ransomware is understood to have been in the wild since at least March 31.