A new Adobe Flash zero day exploit has been identified, reportedly used in an attack on 10 October by a threat actor known as BlackOasis and delivered through a Microsoft Word document to deploy the FinSpy commercial spyware.
According to Kaspersky Lab's global research and analysis team (GReAT) which found the zero day, CVE-2017-11292, it has been spotted in a live attack, and businesses and government organisations are advised to install the update from Adobe immediately. Kaspersky Lab has reported the vulnerability to Adobe, which has issued an advisory.
The researchers believe that the group behind the attack was also responsible for CVE-2017-8759, another zero day, reported in September.
FinSpy (FinFisher) is a commercial malware, typically sold to nation states and law enforcement agencies to conduct surveillance on local targets and has attracted the attention of civil liberties groups after being deployed by some repressive regimes. However, BlackOasis is using it against various targets globally, suggesting it is being deployed for global intelligence operations.
FinSpy uses multiple anti-analysis techniques to make forensic analysis more difficult. After installation it can exfiltrate data to its command and control servers in Switzerland, Bulgaria and the Netherlands.
Kaspersky Lab's assessment says that BlackOasis's interests include many involved in Middle Eastern politics, opposition bloggers and activists, as well as regional news correspondents. It says it also appears to have an interest in verticals of particular relevance to the region – which would suggest oil and gas. And in 2016, researchers report a heavy interest in Angola, with lure documents indicating targets with suspected ties to oil, money laundering and other activities. There is also an interest in international activists and think tanks.
BlackOasis targests have been based in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.
Kaspersky Lab tends not to provide nation-state attribution to malware that it finds, however, Angola is a source of non-Arab oil for Israel, and an interest in the Middle East also points to Israel as one likely location for BlackOasis though various Arab countries also use FinSpy. Given that Israel is the source of stories about Kaspersky Lab products being used by Russian hackers to access NSA data – leading to a US government ban on their use, some observers may view the timing of this release as more than coincidental.
Anton Ivanov, the lead malware analyst at Kaspersky Lab commented in a press release: “The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities. Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”
Kaspersky Lab advice to protect systems and data against this threat includes:
● If not already implemented, use the killbit feature for Flash software and, wherever possible, disable it completely.
● Implement an advanced, multi-layered security solution that covers all networks, systems and endpoints.
● Educate and train personnel on social engineering tactics as this method is often used to make a victim open a malicious document or click on an infected link.
● Conduct regular security assessments of the organisation's IT infrastructure.
● Kaspersky Lab's understandably advocates using its own threat intelligence –but the use of threat intelligence is nonetheless sound.