Home / / FireEye unmasks Adobe Flash zero-day threat

FireEye unmasks Adobe Flash zero-day threat

China-based APT3 behind spear phishing attack that targeted several industries

FireEye unmasks Adobe Flash zero-day threat
APT3 group campaign exploited an Adobe Flash Player zero-day vulnerability.

FireEye recently uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113).

The FireEye as a Service team in Singapore discovered that the attackers’ emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113.

The China-based threat group known as APT3 is responsible for this exploit, FireEye said. The company added that this group is also responsible for a previous attack, known as Operation Clandestine Fox. APT3 is one of the more sophisticated threat groups tracked by FireEye Threat Intelligence and has been the first group to have access to a browser-based zero-day exploits (examples are Internet Explorer, Firefox and Adobe Flash Player). After successfully exploiting a target host, APT3 will quickly dump credentials, move laterally to additional hosts and install custom backdoors. The group’s command-and-control (CnC) infrastructure is difficult to track, as there is little overlap across its campaigns.

During the last several weeks, APT3 has launched a large-scale phishing campaign against organizations in aerospace & defence, construction & engineering, high technology, telecommunications, and transportation, FireEye says.

Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts. Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.

Once APT3 has access to a target network, they work quickly and are extremely proficient at enumerating and moving laterally to maintain their access. Additionally, this group uses zero-day exploits, continually updated custom backdoors, and throwaway CnC infrastructure, making it difficult to pinpoint their activities.

Adobe has already released a patch for CVE-2015-3113 with an out-of-band security bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-14.html). FireEye recommends that Adobe Flash Player users update to the latest version as soon as possible.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.