Adobe patches Flash Zero-Day exploited by ScarCruft APT

Adobe Flash Player 22.0.0.192 release fixes the Flash Player zero-day vulnerability (CVE-2016-4171) exploited by the APT group dubbed ScarCruft.

Adobe has issued the Flash Player 22.0.0.192, a release that fixes the Flash Player zero-day vulnerability (CVE-2016-4171) exploited by the APT group dubbed ScarCruft in attacks on high-profile targets.

The Flash Player flaw CVE-2016-4171 affects versions 21.0.0.242 and earlier for Windows, Mac, Linux and Chrome OS, according to Kaspersky a threat actor behind the “Operation Daybreak” used it in targeted attacks conducted March 2016.

According to Kaspersky Lab, the ScarCruft APT group exploited the zero day in a series of attacks against high-profile targets against entities in Russia, Nepal, South Korea, China, Kuwait, India and Romania.

“Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims.” explained Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab. “The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.”

The new release addressed a total of 36 flaws that could be exploited by hackers to run arbitrary code on the vulnerable systems and that could result in information disclosure.

The flaws were reported to Adobe by security experts from Cisco, FireEye, Google, Kaspersky Lab, Microsoft, Pangu LAB, Qihoo 360, and Tencent.

The list of flaws fixed includes use-after-free, directory search path, heap buffer overflow, and same-origin policy (SOP) bypass vulnerabilities.

The ScarCruft APT exploited also another vulnerability (CVE-2016-0147) in Microsoft XML Core Services (MSXML) affecting Microsoft Windows. This second flaw can be exploited through Internet Explorer, Microsoft issued a security patch in April, but hackers exploited before the fix was released.

“It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute,” Ivanov and Raiu wrote in a blog post published on SecureList.

“For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console,” the experts added. “To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way.”

According to the experts from Kaspersky, the malicious code (HEUR:Trojan.Win32.ScarCruft.gen) used by threat actors in Operation Daybreak is “extremely rare” and likely used only for surgical attacks.

Experts from Kaspersky explained that Flash Player exploits in the wild are becoming rare because they need to be coupled with a Sandbox bypass exploit, furthermore Adobe is spending a significant effort in implementing new mitigations to make exploitation of Flash Player more and more difficult.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

Security Affairs – (CVE-2016-4171 Zero-Day, Adobe)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.