FireEye unmasks Adobe Flash zero-day threat
China-based APT3 behind spear phishing attack that targeted several industries
FireEye recently uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113).
The FireEye as a Service team in Singapore discovered that the attackers’ emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113.
The China-based threat group known as APT3 is responsible for this exploit, FireEye said. The company added that this group is also responsible for a previous attack, known as Operation Clandestine Fox. APT3 is one of the more sophisticated threat groups tracked by FireEye Threat Intelligence and has been the first group to have access to a browser-based zero-day exploits (examples are Internet Explorer, Firefox and Adobe Flash Player). After successfully exploiting a target host, APT3 will quickly dump credentials, move laterally to additional hosts and install custom backdoors. The group’s command-and-control (CnC) infrastructure is difficult to track, as there is little overlap across its campaigns.
During the last several weeks, APT3 has launched a large-scale phishing campaign against organizations in aerospace & defence, construction & engineering, high technology, telecommunications, and transportation, FireEye says.
Once APT3 has access to a target network, they work quickly and are extremely proficient at enumerating and moving laterally to maintain their access. Additionally, this group uses zero-day exploits, continually updated custom backdoors, and throwaway CnC infrastructure, making it difficult to pinpoint their activities.
Adobe has already released a patch for CVE-2015-3113 with an out-of-band security bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-14.html). FireEye recommends that Adobe Flash Player users update to the latest version as soon as possible.