Adobe has released an emergency update for Flash Player to fix a critical zero-day vulnerability that already has been used in targeted attacks by North Korean hackers.
News of the vulnerability broke last week with an alert from the South Korean Computer Emergency Response Team (KR-CERT) and follow-up confirmations from security companies that an exploit had been used in attacks involving malicious Microsoft Excel documents.
Flash Player 22.214.171.124, released Feb. 6, fixes the zero-day vulnerability identified as CVE-2018-4878 as well as a similar one called CVE-2018-4877 that was privately reported to Adobe through Trend Micro’s Zero Day Initiative program.
Both flaws are critical use-after-free memory errors and can lead to remote code execution, so users should update to the new Flash Player version as soon as possible. The Flash plug-in shipped with Google Chrome, Microsoft Edge and Internet Explorer 11 will be automatically updated through those browsers’ update mechanisms.
Researchers from security firm FireEye have analyzed the recent attacks using the new exploit and have attributed them to a known North Korean threat group tracked as TEMP.Reaper.
“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year,” the FireEye researchers said in a blog post. “They have taken interest in subject matter of direct importance to the Democratic People’s Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.”
FireEye also warns that TEMP.Reaper has developed and is deploying disk-wiping malware on some of their targets, though there’s no evidence the group has used it to destroy data so far. North Korean hackers have launched disk-wiping attacks in the past against South Korean and international targets, including the attack that crippled Sony Pictures’ computer network in 2014.
Researchers from Cisco’s Talos group have also tracked the latest Flash Player zero-day exploit and attributed it to a threat actor they call Group 123. The payload of the attacks is a remote administration tool named ROKRAT that can be used to exfiltrate documents and manage infected systems.
“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT,” the Talos researchers said in a blog post. “They have used an Adobe Flash 0-day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”
New Fix for Critical Cisco Firewall Vulnerability After More Attack Vectors Found
Cisco Systems has released a new fix for a critical vulnerability in the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that powers many of its firewall products.
The vulnerability was discovered by researchers from NCC Group and was announced by Cisco last week. The flaw can be exploited remotely by unauthenticated attackers by sending malicious XML payloads to affected devices and can result in malicious code execution. It has the maximum score of 10.0 on the CVSS severity scale.
On Feb. 5, Cisco’s Product Security Incident Response Team (PSIRT) announced that the company’s engineers had found additional attack vectors, as well as vulnerable ASA features that weren’t documented in the company’s initial security advisory.
“In addition, it was also found that the original list of fixed releases published in the security advisory were later found to be vulnerable to additional denial of service conditions,” Omar Santos, principal engineer with Cisco PSIRT, said in a blog post. “A new comprehensive fix for Cisco ASA platforms is now available.”
The vulnerable products include the 3000 Series Industrial Security Appliance (ISA), the ASA 5500 Series Adaptive Security Appliances, the ASA 5500-X Series Next-Generation Firewalls, the ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, the ASA 1000V Cloud Firewall, the Adaptive Security Virtual Appliance (ASAv), the Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, Firepower 4120 Security Appliance, Firepower 4140 Security Appliance, Firepower 4150 Security Appliance, Firepower 9300 ASA Security Module, Firepower Threat Defense Software (FTD) and FTD Virtual.
The flaw is located in an XML parser that’s used by multiple ASA features, so devices are vulnerable depending on their configurations. The affected features include: Adaptive Security Device Manager (ASDM), AnyConnect IKEv2 Remote Access (with client services), AnyConnect IKEv2 Remote Access (without client services), AnyConnect SSL VPN, Cisco Security Manager, Clientless SSL VPN, Cut-Through Proxy, Local Certificate Authority (CA), Mobile Device Manager (MDM) Proxy, Mobile User Security (MUS), Proxy Bypass, REST API and Security Assertion Markup Language (SAML) Single Sign-On (SSO).
The Cisco security advisory has information on how to determine if these features are present and vulnerable, as well as tables with the fixed ASA and FTD releases.