Zero-day vulnerability in Adobe Flash Player

Use-after-free
CVE-2018-4878

KR-CERT reported in the wild exploitation of zero-day vulnerability in the latest version of Adobe Flash Player. According to the South Korean Computer Emergency Response Team (KR-CERT), the exploit has being used in the wild since mid-November 2017.

Security experts for FireEye linked the vulnerability to the hacking group TEMP.Reaper. The IP-addresses from which attacks were connected with the C&C-servers belong to the Internet provider Star JV - a joint venture of North Korea and Thailand.

Cisco Talos observed use of vulnerability in attacks conducted by Group 123.

According to FireEye, after successful exploitation of the vulnerability the system is infected with DOGCALL malware.

Cisco Talos specialists also reported cyberattacks using the malicious software, which they called Rokrat.

As revealed by security experts for Morphisec Labs Michael Gorelik and Assaf Kachlon the vulnerability has been used in a watering hole attack against Hong Kong Telecommunications company.

Known malware:

DOGCALL
Rokrat

Vulnerability details

Advisory: SB2018020120 - Remote code execution in Adobe Flash Player

Vulnerable component: Adobe Flash Player

CVE-ID: CVE-2018-4878

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-416 - Use After Free

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing .swf files. A remote attacker can execute arbitrary code on the target system.

Note: this vulnerability is being actively exploited in the wild against the latest version of Adobe Flash Player.

UPDATE: The vendor has issued the fixed version on February 6, 2018.

Latest references in media:

- Cobalt crime gang is using again CobInt malware in attacks on former soviet states [2018-09-13 10:00:11]

- New 'Fallout' EK Brings Return of Old Ransomware [2018-09-11 01:10:06]

- New Campaign Brings Return of Old Malware [2018-09-11 00:20:06]

- ShadowTalk Update – 09.10.2018 [2018-09-10 18:11:39]

- Fallout exploit kit appeared in the threat landscape in malvertising campaigns [2018-09-10 09:10:10]

- Nestled in hacked sites–New Fallout Exploit Kit injecting GandCrab Ransomware or Redirecting to PUPs [2018-09-09 13:20:55]

- New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs [2018-09-07 00:30:20]

- Alleged Iran-linked APT group RASPITE targets US electric utilities [2018-08-02 20:00:08]

- Dangerous Underminer Exploit Kit Delivers a Cryptocurrency-mining Malware and Bootkit [2018-07-30 12:50:50]

- Underminer Exploit Kit spreading Bootkits and cryptocurrency miners [2018-07-29 11:00:08]

- New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners [2018-07-28 16:40:17]

- New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel [2018-07-26 17:40:17]

- Shadow Talk Update – 12.02.2018 [2018-07-25 16:25:00]

- Shadow Talk Update – 03.05.2018 [2018-07-25 16:25:00]

- Magniber ransomware spreads in other Asian countries [2018-07-18 13:11:02]

- Asian APT Groups Most Active in Q2 [2018-07-10 23:11:01]

- Asian APT Groups Most Active in Q2 [2018-07-10 23:00:05]

- APT Trends Report Q2 2018 [2018-07-10 12:00:56]

- RIG Exploit Kit Leverage the Code Injection Technique to Mining Crypto-Currency [2018-07-03 04:50:50]

- Down but Not Out: A Look Into Recent Exploit Kit Activities [2018-07-02 16:00:19]

- RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique [2018-06-28 18:30:04]

- Key Findings from the Morphisec Labs’ Threat Report for Q1 of 2018 [2018-06-20 16:41:24]

- Exploit kits: Spring 2018 review [2018-06-19 05:41:20]

- Clipboard Hijacker Targeting Bitcoin & Ethereum Users Infects Over 300,0000 PCs [2018-06-15 11:30:23]

- Analysis of the evolution of exploit kits in the threat landscape [2018-06-14 09:10:09]

- Exploit Kits Target Recent Flash, Internet Explorer Zero-Days [2018-06-13 18:00:09]

- Zero-Day Flash Exploit Targeting Middle East [2018-06-08 12:27:43]

- Adobe fixed the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East [2018-06-07 16:18:26]

- Adobe Patches Flash Zero-Day [2018-06-07 15:25:25]

- North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks [2018-06-01 08:39:41]

- Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner [2018-06-01 01:13:09]

- Microsoft Patch Tuesday, February 2018 [2018-05-29 04:04:09]

- Flash Zero Day (CVE-2018-4878) [2018-05-29 04:03:42]

- Office 365 will automatically block Flash and Silverlight [2018-05-24 16:02:10]

- IT threat evolution Q1 2018. Statistics [2018-05-14 12:12:44]

- Less than five per cent of the Internet uses Adobe Flash now | TheINQUIRER [2018-04-20 12:51:37]

- Security Affairs newsletter Round 158 – News of the week [2018-04-15 10:47:10]

- APT Trends report Q1 2018 [2018-04-12 12:03:56]

- Booby-trapped Office docs build with ThreadKit trigger CVE-2018-4878 flaw [2018-04-10 10:20:37]

- Microsoft Patch Tuesday, February 2018 [2018-04-05 15:31:30]

- Flash Zero Day (CVE-2018-4878) [2018-04-05 15:30:58]

- Security Affairs newsletter Round 156 – News of the week [2018-04-01 12:05:15]

- MS Office Document Exploit Kit Distributing New Exploits and Malware [2018-03-31 07:37:08]

- Microsoft Patch Tuesday, February 2018 [2018-03-29 04:07:08]

- Flash Zero Day (CVE-2018-4878) [2018-03-29 04:06:01]

- New ThreadKit exploit builder used to spread banking Trojan and RATs [2018-03-28 14:43:53]

- New "ThreadKit" Office Exploit Builder Emerges [2018-03-27 17:40:49]

- Experts uncovered a watering hole attack on leading Hong Kong Telecom Site exploiting CVE-2018-4878 flaw [2018-03-27 09:38:43]

- Watering Hole Attack Exploits North Korea's Flash Flaw [2018-03-26 18:50:37]

- Microsoft Patch Tuesday, February 2018 [2018-03-26 00:24:56]

- Flash Zero Day (CVE-2018-4878) [2018-03-26 00:24:31]

- Hermes Ransomware - Distributed through Malicious Office Documents [2018-03-17 08:03:31]

- Hidden Cobra - Cybercrime Group Targeting Financial Sectors [2018-03-12 07:55:19]

- North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware [2018-03-10 08:03:59]

- Hidden Cobra Coils and Strikes at Turkish Banks [2018-03-08 21:43:15]

- Google Patches 11 Critical Bugs in March Android Security Bulletin [2018-03-06 19:35:18]

- Security Affairs newsletter Round 152 – News of the week [2018-03-05 14:08:33]

- Massive Malspam Campaign Targets Unpatched Systems [2018-02-28 00:00:14]

- Recently patched CVE-2018-4878 Adobe Flash Player flaw now exploited by cybercriminals [2018-02-27 20:02:23]

- North Korea hacking group is expanding operations, researchers say [2018-02-27 01:52:12]

- Adobe Flash Vulnerability Reappears in Malicious Word Files [2018-02-26 22:40:03]

- North Korea's Flash Player Flaw Now Exploited by Cybercriminals [2018-02-26 21:10:19]

- North Korean Reaper APT uses zero-day vulnerabilities to spy on governments | ZDNet [2018-02-21 12:50:04]

- Microsoft Patch Tuesday, February 2018 [2018-02-13 01:00:00]

- Flash Zero Day (CVE-2018-4878) [2018-02-13 01:00:00]

- North Korean APT Group tracked as APT37 broadens its horizons [2018-02-21 07:40:16]

- North Korean Threat Widens to Target Multinationals [2018-02-20 23:41:06]

- APT37 (Reaper): The Overlooked North Korean Actor [2018-02-20 14:40:01]

- Microsoft, Adobe February 2018 security updates: An overview [2018-02-14 12:41:16]

- February Patch Tuesday Is a Bouquet of Fixes for Privilege Escalation Vulnerabilities [2018-02-14 11:32:02]

- Cybersecurity week Round-Up (2018, Week 6) [2018-02-12 16:22:47]

- Security Affairs newsletter Round 149 – News of the week [2018-02-11 15:50:06]

- A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations [2018-02-09 16:11:33]

- Researchers spotted a new Adobe Flash Player zero-day exploit in the wild that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea. [2018-02-08 12:30:02]

- North Korean APT Group Employed Rare Zero-Day Attack [2018-02-08 00:20:03]

- Adobe patches Flash zero-day being 'exploited by North Korean hackers' | TheINQUIRER [2018-02-07 17:50:10]

- Windows security: Microsoft issues Adobe patch to tackle Flash zero-day | ZDNet [2018-02-07 15:32:13]

- Adobe Issues Emergency Fix to Foil North Korean Hackers [2018-02-07 11:00:03]

- Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea [2018-02-07 09:00:06]

- Adobe: Two critical Flash security bugs fixed for the price of one [2018-02-06 21:30:02]

- Adobe Patches Flash Zero-Day Used in South Korean Attacks [2018-02-06 21:20:02]

- Adobe Patches Flash Zero-Day Exploited by North Korean Hackers [2018-02-06 18:11:37]

- Adobe Flash Zero-Day Spotted in the Wild [2018-02-05 22:21:08]

- Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild [2018-02-05 19:50:11]

- About the Flash zero-day currently exploited in the wild [2018-02-05 13:24:29]

- Flash Zero-Day Attacks Analyzed by FireEye, Cisco [2018-02-05 06:40:11]

- South Korea identifies Flash 0-day in the wild | ZDNet [2018-02-05 03:50:09]

- Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations [2018-02-03 03:30:02]

- Adobe warns of Flash zero-day, patch to come next week [2018-02-02 18:30:52]

- Attackers Exploiting Unpatched Flaw in Flash [2018-02-02 15:50:53]

- Adobe acknowledges Flash zero-day that's been exploited since November | TheINQUIRER [2018-02-02 12:11:31]

- Researchers spotted a new Adobe Flash Player zero-day exploit in the wild that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea. [2018-02-02 07:20:03]

- Adobe to Patch Flash Zero-Day Discovered in South Korean Attacks [2018-02-02 00:00:03]

- South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks [2018-02-01 23:32:34]

- Adobe Flash Player Zero-Day Spotted in the Wild [2018-02-01 21:50:41]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.