ScarCruft APT Group exploited Flash Zero-Day in High-Profile attacks

Security experts from Kaspersky Lab revealed that an APT group dubbed ScarCruft exploited the zero day vulnerability (CVE-2016-4171) in Adobe Flash Player.

According to the experts from Kaspersky Lab, an APT group dubbed ScarCruft exploited a zero day vulnerability (CVE-2016-4171) in Adobe Flash Player. The group launched a series of attacks against high-profile targets against entities in Russia, Nepal, South Korea, China, Kuwait, India and Romania.

The ScarCruft APT exploited two vulnerabilities, a flaw in Flash Player and a Microsoft XML Core Services (MSXML) vulnerability (CVE-2016-0147) affecting Microsoft Windows. This second flaw can be exploited through Internet Explorer, Microsoft issued a security patch in April, but hackers exploited before the fix was released.

The Flash Player flaw CVE-2016-4171 affects versions 21.0.0.242 and earlier for Windows, Mac, Linux and Chrome OS, according to Kaspersky a threat actor behind the “Operation Daybreak” used it in targeted attacks conducted March 2016.

“Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims.” explained Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab. “The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.”

According to Adobe a security patch will be available as early as June 16.

“Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks. Adobe will address this vulnerability in our monthly security update, which will be available as early as June 16. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”

Kaspersky plans to release more details on the ScarCruft ATP group and its attacks after Adobe will release a patch, fortunately Microsoft EMET is effective for the mitigation of such kind of attacks.

Stay Tuned …

[adrotate banner=”9″]

Pierluigi Paganini

Security Affairs – (ScarCruft APT, Adobe)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.