APT, Phishing

Flash exploits might signal APT activity

June 17, 2011

An Adobe Flash vulnerability that was fixed this week is being leveraged in targeted drive-by downloads and spear phishing attacks, according to the Shadowserver Foundation.

Researchers at the all-volunteer security intelligence group first learned of the exploits on June 9, five days before Adobe issued a patch for the flaw (in addition to updates for bugs in other products, including Reader, Acrobat and Shockwave Player).

"Virtually out of nowhere this just popped up," Shadowserver researcher Steven Adair told SCMagazineUS.com on Friday. "It has rapidly seemed to have made its way around."

Thanks to submissions by its partners, Shadowserver has learned that the exploit has been embedded on a number of legitimate websites, including ones belonging to a Korean news outlet, a Taiwanese university, an Indian government agency, aerospace companies and various "non-government organizations." Some of the victims are based in the United States.

In a hacker tactic known as a drive-by download, users can be infected simply by visiting one of these compromised sites, if they are running an out-of-date version of Flash in concert with a Windows machine.

The exploit also is spreading via spear phishing emails that contain lures attempting to persuade recipients to click on a malicious link that leads to a hacker-owned website hosting the exploit, Adair said. The U.S.-Taiwan Business Council, which helps develop trade relationships between the two countries, is just one organization that has received the socially engineered messages.

Because the attackers spreading this exploit seem to be picking on specific targets and are using customized payloads that are difficult to detect, they don't appear to be indiscriminate criminals, Adair said.

"It's looking more like APT (advanced persistent threat) activity," he said. "It doesn't look like they are mass blasting.

Adair said Flash attacks have been quite prevalent in recent months.

"What makes [this exploit] especially bad is it doesn't result in any crash," he said. "It all happens in the background. You can go about your business without seeing it happen."

An Adobe spokeswoman said the company is aware of the attacks underway.

"The only information we can provide is that there are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious web pages," she told SCMagazineUS.com. "We cannot disclose any specific information about customers targeted."


prestitial ad