Recent Flash Zero-Day Flaw Now Exploited in Widespread Attacks

A vulnerability that was recently patched in Flash Player after being used in targeted attacks is now seeing widespread exploitation in a malicious spam campaign.

The flaw was first identified in late January by security researchers who saw it used in an attack launched by a North Korean threat actor known as APT37 or Group 123. That attack targeted individuals—primarily South Koreans—who were involved in research on North Korea, which prompted speculation that the campaign was state-sponsored.

At the time of its discovery in the wild the vulnerability had zero-day status, meaning there was no patch available for it, but Adobe Systems moved quickly and fixed it the following week, on Feb. 6. The flaw is now tracked as CVE-2018-4878 in the Common Vulnerabilities and Exposures catalog.

It’s usually just a matter of time until other hackers adopt a zero-day exploit and use more widely. That happens because there’s a very big difference between technical details about a vulnerability becoming public and a fully working weaponized exploit becoming public. In the latter case, someone has already done the hard work of writing reliable attack code to take advantage of a flaw, so it’s just a matter of copying that code and reusing it.

Researchers from security firm Morphisec now report that they’ve seen CVE-2018-4878 being exploited in a massive malspam campaign that distributes shortened URLs pointing to malicious Word documents. The documents embed the exploit code for the Flash Player vulnerability, which, if executed, will launch cmd.exe and will download an additional payload from a remote server.

While Flash Player and Microsoft Word are two separate programs, Word documents have the ability to embed Flash content, which is why they’re often used as an attack vector to exploit Flash Player vulnerabilities. The original Group 123 attack used Excel documents.

In fact, the Morphisec researchers said that the exploit code used in this latest campaign had only a few changes compared to the one discovered in January. That minor changes were made to bypass traditional static detection systems that already had signatures for the original exploit.

This incident shows that for companies patching no longer can be the traditionally lengthy and staged process that it used to be, where patch deployment took weeks or months. Attackers are now incorporating new flaws and exploits into their campaigns much faster.

“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible,” the Morphisec researchers said in a blog post. “With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.”

FBI Warns Companies About a Rise in IRS W-2 Phishing Scams

The FBI is warning companies that the number of phishing attacks that request Internal Revenue Service (IRS) W-2 information has increased in recent months.

“Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information,” the FBI’s Internet Crime Complaint Center (IC3) said in a recent alert. “Sometimes these requests were followed by or combined with a request for an unauthorized wire transfer.”

Form W-2 is used by employers to report wage and salary information to the IRS, so W-2 information can be very valuable to attackers, especially if obtained in large quantity. The records will typically contain employee names, addresses, income, Social Security numbers and other personal information.

The phishing attacks usually target employees from human resources or financial departments and start by impersonating an executive from the company. This is done either by spoofing an email address or by actually compromising an executive’s email account.

This modus operandi is similar to that used in another popular type of attack targeting businesses known as business email compromise (BEC) in which attackers impersonate company executives to trick employees into initiating wire transfers to alleged partners. In fact, the latest attacks seem to be a combination of W-2 information phishing and BEC, since the attackers will also request wire transfers.

The IC3 alert contains a series of recommendations and best practices, as well as instructions on how to alert the IRS about a successful W-2 data loss.

“If notified quickly after the loss, the IRS may be able to take steps that help protect your employees from tax-related identity theft,” the IC3 said.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin