RUSSIAN SECURITY COMPANY Kaspersky has been vindicated in its concerns about a new attack group called ScarCruft that is exploiting a vulnerability in bloody Adobe Flash that has yet to be patched.
Adobe has credited Kaspersky with the heads up on the gang, and the Russian firm explained that it has earned a critical rating and is a threat on Windows, OS X, Linux, and Chrome OS.
This is bleak, but it could be worse. Adobe plans to issue a fix for the problem by 16 June, adding that an exploit for the CVE 2016 4171 problem is live and threatening.
“Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild and is being used in limited targeted attacks,” said the firm. “Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16.”
Kaspersky explained that it scans for this type of caper. “Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe these attacks are launched by an APT group we call ScarCruft,” the firm said.
“ScarCruft is a relatively new APT group, and victims have been observed in several countries. The group has several ongoing operations using multiple exploits, two for Adobe Flash and one for Microsoft Internet Explorer. Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus.”
The first of these is the worst, presumably, because it goes after high-profile targets. The second is described as exploiting watering holes. It’s all bad, whichever way you look at it, and people are queuing up to point fingers at Adobe and Flash.
“Adobe has acknowledged that a vulnerability (CVE-2016-4171) in the current Flash player is being used in the wild and delayed the expected monthly Adobe Flash patch. The APSA16-03 advisory promises the patch for the end of this week,” said Wolfgang Kandek, CTO at security firm Qualys.
“Pay close attention to the release and address it as quickly as possible. This is the third month in a row that we are seeing a zero-day in Flash, making it the most targeted software on your organisation’s endpoints.” µ