Adobe Systems released an emergency patch for a critical vulnerability in Flash Player that was being exploited in the wild through Microsoft Word documents to infect computers with a known surveillance tool.
The vulnerability, tracked as CVE-2017-11292, can lead to remote code execution and was fixed in Flash Player 220.127.116.11 for all supported platforms. The Flash Player builds bundled with Google Chrome and Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be updated automatically through those browsers’ update mechanisms.
However, in many enterprise environments automatic updates are disabled and patches are scheduled for deployment by administrators. In such cases, it’s very important to prioritize this patch because the vulnerability is already known to attackers.
The flaw was reported to Adobe by researchers from Kaspersky Lab who found it being used in an active malicious campaign. The attack analyzed by Kaspersky was perpetrated by a group known as BlackOasis and its goal was to install FinSpy, a commercial surveillance tool used by governments and law enforcement agencies.
While it’s not clear who is behind BlackOasis, the group clearly has access to previously unknown zero-day vulnerabilities. Kaspersky has been tracking the group’s activities since May 2016, when it exploited an unpatched Flash Player vulnerability known as CVE-2016-4117. Going further back, there’s reason to believe the group used two other zero-day flaws—CVE-2015-5119 and CVE-2016-0984—in attacks in 2015.
“BlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region,” the Kaspersky researchers said in a blog post. “This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering and other illicit activities. There is also an interest in international activists and think tanks.”
FinSpy is a malware program that’s part of a surveillance suite of tools called FinFisher. The product’s developer, a company called Gamma International, markets and sells the tools to government and law enforcement agencies for surveillance operations.
The Kaspersky researchers have found a direct link between the new BlackOasis campaign exploiting CVE-2017-11292 and a different attack reported in September by FireEye that also distributed FinSpy. The September attack exploited yet another zero-day vulnerability, CVE-2017-8759, located in Microsoft’s .NET Framework.
Most of BlackOasis’ exploits are embedded into Microsoft Office documents and are crafted to lure targeted users into opening them.
While you might not be a target for BlackOasis in particular, the new attack should serve as a reminder that Microsoft Office documents support embedding many media formats, including Flash. This makes them a good delivery mechanism for exploits that target other applications or Windows components and means that simply keeping Microsoft Office up to date with its own security patches does not ensure Office documents can’t cause harm.
Publicly Exposed Cloud Instances Abused to Mine Cryptocurrency
Cloud storage repositories that have been left publicly exposed by their owners have recently resulted in several sensitive data leaks at major companies. In the past, insecure cloud-hosted databases have been targeted in ransomware attacks that wiped their data. It seems that attackers have now found a new way to abuse cloud misconfigurations: using paid-for computing resources to mine cryptocurrency.
Researchers from cloud security services provider RedLock found several unprotected Kubernetes administration consoles hosted on Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform that had been compromised and were being abused to mine Bitcoin. Kubernetes is a container orchestration tool used to automate the deployment and management of containerized applications. This means it has access to spawn additional cloud computing instances.
The RedLock team found vulnerable Kubernetes deployments from large international companies such as Aviva and Gemalto, Redlock said in a new report. In addition to being abused for Bitcoin mining, the containers also had access keys and secret tokens stored in clear text.
“The incident highlights the need for a holistic approach to security in the cloud,” RedLock said. “A combination of configuration, user activity and network activity monitoring is necessary to detect these complex threats in public cloud computing environments.”