Adobe zero-day used in watering hole attack against Syrian dissidents

Adobe has just released a security updates for Flash Player to fix critical vulnerabilities that are being exploited by hackers to track Syrian dissidents.

Adobe has just released security updates for Flash Player to fix critical vulnerabilities that are being exploited in a series of cyber attacks targeting Syrian dissidents complaining about the government.

Early April experts at Kaspersky Lab discovered a couple of new zero-day exploits in the wild based on the vulnerability coded as CVE-2014-0515. The flaw affected the Flash Player Pixel Bender component, no longer supported by Adobe, used for video and image processing.

The attackers conducted a watering hole attack serving both exploits from a site (http://jpic.gov.sy/) created by the Syrian Ministry of Justice to provide an online forum for citizens to complain about law and order violations. The website was compromised last September 2013 and the attacker announced the hack through his twitter account.

“According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn’t detected using the same heuristic signature as the first, because it contained a unique shellcode. Each exploit comes as an unpacked flash video file. The Action Script code inside was neither obfuscated nor encrypted.” reported the post published on SecureList.

The versions of Adobe Flash Player affected by the vulnerability include:

  • Adobe Flash Player 13.0.0.182 and earlier versions for Windows
  • Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.350 and earlier versions for Linux

“We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”

The links used by the attackers appear like

http://jpic.gov.sy/css/images/_css/***********

probably the attackers created a folder where they loaded the exploits to redirect the victims using a frame or a script located at the site.

“To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox.” “Although we’ve only seen a limited number attempts to exploit this vulnerability, we’re strongly recommending users to update their versions of Adobe Flash Player software,” “It is possible that once information about this vulnerability becomes known, criminals would try to reproduce these new exploits or somehow get the existing variants and use it in other attacks. Even with a patch available, cybercriminals would expect to profit from this vulnerability because a worldwide update of software as widely used as Flash Player will take some time. Unfortunately this vulnerability will be dangerous for a while.” states the post.

The attacks that exploited the flaw in Adobe Player product are probably the result of a carefully planned operation made by high skilled hackers who have had access to 0-day exploits. The attackers used the exploits on a simple website to conduct a surgical operation avoiding to be detected.

Pierluigi Paganini

(Security Affairs –  Watering hole, Adobe)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

51 mins ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.