The discovery was made by Qihoo 360 which on 29 November noticed a targeted APT (Advanced Persistent Threat) attack against a healthcare clinic used by Russian Government officials.
Codenamed “Operation Poison Needles” by Qihoo in honour of its medical theme, the attack uses a Word document mocked up to look like a job application questionnaire embedding a Flash Active X control.
Anyone on the receiving end of the attack will receive a phishing email with an attached RAR archive containing the boobytrapped document executing the payload.
The vulnerability, a use after free flaw, is now identified as CVE-2018-15982 and affects all Flash versions up to and including 184.108.40.206. Patching it on Windows, macOS and Linux, and ChromeOS requires downloading 220.127.116.11.
For good measure, the patch applies a separate fix for CVE-2018-15983, a privilege escalation caused by the insecure library loading of DLLs.
It’s worth noting that Qihoo appears to have spotted it by way of their anti-malware clients, hence the confident designation as an APT connected to the conflict between Ukraine and Russia.
ATR speculates that the attack’s “tradecraft and techniques” might connect the latest campaign in some way to the Italian freelancers, Hacking Team, which infamously had a lot of its tools stolen in a 2015 attack.
It’s true that the use of zero-day Flash exploits embedded inside Word documents looks like a calling card (see previous incidents), but this could also simply mean that attackers who got hold of the cache of Hacking Team goodies have saved them up for special occasions.
Naked Security has covered a regular drip (or even a flood) of vulnerabilities and live attacks exploiting Flash in recent times. Vulnerabilities that will almost certainly continue their march until the software is gone once and for all. As Gigamon writes:
Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove Flash from web browsers, vectors such as Microsoft Office remain able to load and execute Flash content.
Our recommendation: remove it from your operating system before deactivating it in browsers that still give you the choice to allow it (Chrome and Edge).
Presumably (and hopefully), organisations and individuals continuing to use something scheduled to expire forever in 2020 do so for a good reason. But whatever that reason may be, as with previous patches and out-of-band updates, the latest Flash zero-day is a reminder to all to move on and stop living so dangerously.
John E Dunn