CVE-2018-15982 Adobe zero-day exploited in targeted attacks

Adobe released security updates for Flash Player that address two vulnerabilities, including a critical flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Adobe fixed two flaws including a critical use-after-free bug, tracked as CVE-2018-15982, exploited by an advanced persistent threat actor aimed at a healthcare organization associated with the Russian presidential administration.

The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player 32.0.0.101 for Windows, macOS, Linux, and Chrome OS.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer.” reads the security advisory published by Adobe.

“Successful exploitation could lead to Arbitrary Code Execution and privilege escalation in the context of the current user respectively.

Adobe is aware of reports that an exploit for CVE-2018-15982 exists in the wild.”

Adobe confirmed that it is aware of attacks exploiting the flaw in the wild.

Adobe has credited the following experts for reporting the CVE-2018-15982 flaw:

Chenming Xu and Ed Miles of Gigamon ATR
Yang Kang (@dnpushmen) and Jinquan (@jq0904) of Qihoo 360 Core Security (@360CoreSec)
He Zhiqiu, Qu Yifan, Bai Haowen, Zeng Haitao and Gu Liang of 360 Threat Intelligence of 360 Enterprise Security Group
independent researcher b2ahex

Attackers used decoy Word documents including Flash file with zero-day vulnerability. The Word document is included in a RAR archive with a JPG picture. When the Flash vulnerability is triggered, the malware extracts the RAT code embedded in the JPG picture.

“The attack strategy is very clever: Flash file with 0day vulnerability is inserted into decoy Word document which is compressed into one RAR file with a JPG picture. When Flash 0day vulnerability is triggered, it will extract out RAT from that JPG picture. Such trick aims to avoid detection of most security software. This RAT has same digital signature as one RAT which is very likely written by Hacking Team, latter was found August 2018. We believe that the new RAT is an upgrade version of Hacking Team’s RAT.” reads the analysis published by 360 the Enterprise Security Group.

“This vulnerability and exploitation code could be reused by cybercriminals even other APT groups for large-scale attacks, we would suggest users to take necessary protection, like applying latest Adobe Flash patch.”

Gigamon has also published a blog post describing the flaw and the attack, the experts pointed out that the decoy document in Russian language was submitted to VirusTotal from a Ukranian IP address. Qihoo 360 researchers observed the attack was launched just days after the Kerch Strait incident that occurred on November 25, when Russian Federal Security Service (FSB) border service coast guard boats fired upon and captured three Ukrainian Navy vessels that had attempted to pass from the Black Sea into the Sea of Azov through the Kerch Strait while on their way to the port of Mariupol.

“The vulnerability (CVE-2018-15982) allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system.” reads the post published by Gigamon.

“The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic. “

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

Qihoo 360 Core Security experts highlighted the similarities between this Flash zero-day with the CVE-2018-4878, which was first exploited by North Korea-linked APT group earlier 2018.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Flash zero-day, CVE-2018-15982)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.