A vulnerability that was recently patched in Flash Player after being used in targeted attacks is now seeing widespread exploitation in a malicious spam campaign.
The flaw was first identified in late January by security researchers who saw it used in an attack launched by a North Korean threat actor known as APT37 or Group 123. That attack targeted individuals—primarily South Koreans—who were involved in research on North Korea, which prompted speculation that the campaign was state-sponsored.
At the time of its discovery in the wild the vulnerability had zero-day status, meaning there was no patch available for it, but Adobe Systems moved quickly and fixed it the following week, on Feb. 6. The flaw is now tracked as CVE-2018-4878 in the Common Vulnerabilities and Exposures catalog.
It’s usually just a matter of time until other hackers adopt a zero-day exploit and use more widely. That happens because there’s a very big difference between technical details about a vulnerability becoming public and a fully working weaponized exploit becoming public. In the latter case, someone has already done the hard work of writing reliable attack code to take advantage of a flaw, so it’s just a matter of copying that code and reusing it.
Researchers from security firm Morphisec now report that they’ve seen CVE-2018-4878 being exploited in a massive malspam campaign that distributes shortened URLs pointing to malicious Word documents. The documents embed the exploit code for the Flash Player vulnerability, which, if executed, will launch cmd.exe and will download an additional payload from a remote server.
While Flash Player and Microsoft Word are two separate programs, Word documents have the ability to embed Flash content, which is why they’re often used as an attack vector to exploit Flash Player vulnerabilities. The original Group 123 attack used Excel documents.
In fact, the Morphisec researchers said that the exploit code used in this latest campaign had only a few changes compared to the one discovered in January. That minor changes were made to bypass traditional static detection systems that already had signatures for the original exploit.
This incident shows that for companies patching no longer can be the traditionally lengthy and staged process that it used to be, where patch deployment took weeks or months. Attackers are now incorporating new flaws and exploits into their campaigns much faster.
“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible,” the Morphisec researchers said in a blog post. “With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.”
FBI Warns Companies About a Rise in IRS W-2 Phishing Scams
The FBI is warning companies that the number of phishing attacks that request Internal Revenue Service (IRS) W-2 information has increased in recent months.
“Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information,” the FBI’s Internet Crime Complaint Center (IC3) said in a recent alert. “Sometimes these requests were followed by or combined with a request for an unauthorized wire transfer.”
Form W-2 is used by employers to report wage and salary information to the IRS, so W-2 information can be very valuable to attackers, especially if obtained in large quantity. The records will typically contain employee names, addresses, income, Social Security numbers and other personal information.
The phishing attacks usually target employees from human resources or financial departments and start by impersonating an executive from the company. This is done either by spoofing an email address or by actually compromising an executive’s email account.
This modus operandi is similar to that used in another popular type of attack targeting businesses known as business email compromise (BEC) in which attackers impersonate company executives to trick employees into initiating wire transfers to alleged partners. In fact, the latest attacks seem to be a combination of W-2 information phishing and BEC, since the attackers will also request wire transfers.
The IC3 alert contains a series of recommendations and best practices, as well as instructions on how to alert the IRS about a successful W-2 data loss.
“If notified quickly after the loss, the IRS may be able to take steps that help protect your employees from tax-related identity theft,” the IC3 said.