Adobe has belatedly rushed out patches for a zero-day security flaw in its widely used Flash Player that had been exploited by a cyber-espionage group based in China for weeks, according to security services specialist FireEye.
The group, identified as APT3 by FireEye, had used the vulnerability to attack high-tech companies in aerospace and defence, construction and engineering, IT and telecoms, indicating either an intent to steal valuable intellectual property to sell on or state espionage.
“This group is one of the more sophisticated threat groups that FireEye Threat Intelligence tracks, and they have a history of introducing new browser-based zero-day exploits (for example, Internet Explorer, Firefox, and Adobe Flash Player),” explained the company in a blog posting.
“After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3’s command and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns.”
“Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as ‘Backdoor.APT.CookieCutter’, being delivered to the victim’s system,” warn FireEye.
“The attack exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files. The exploit uses common vector corruption techniques to bypass address space layout randomisation (ASLR), and uses return-oriented programming (ROP) to bypass data execution prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques.”
Last night, Adobe finally released a patch labelled CVE-2015-3113 to address the critical security issue and advised users to update their Flash versions for Windows, Apple Mac and Linux platforms.
Craig Young, a security researcher at Tripwire, suggested that part of the problem is Adobe Flash itself, a remnant of the 2000s so-called “Web 2.0” boom, which was supposed to bring more sophisticated interactivity to the web compared to the early static pages of the 1990s internet.
“Flash, along with ActiveX and Java are remnants of the 1990s ‘Web 2.0′ technology boom. The nature of these technologies allows attackers to run code directly on remote computers and revolutionised the attack surface of the internet,” said Young.
He continued: “There has been a constant barrage of vulnerabilities in all ‘Web 2.0′ technology, as well as a constant stream of ‘update’ messages to users. This has given way to a newer and very successful form of attack wherein the attacker spoofs an update message tricking users into downloading malware. These tricks can be particularly effective, as illustrated by the 2012 Flashback malware that exploited Java on roughly 600,000 Apple computers in the six weeks it took for Apple to respond with patches.”