Zero-day vulnerability in Adobe Flash Player

Use-after-free
CVE-2018-4878

KR-CERT reported in the wild exploitation of zero-day vulnerability in the latest version of Adobe Flash Player. According to the South Korean Computer Emergency Response Team (KR-CERT), the exploit has being used in the wild since mid-November 2017.

Security experts for FireEye linked the vulnerability to the hacking group TEMP.Reaper. The IP-addresses from which attacks were connected with the C&C-servers belong to the Internet provider Star JV - a joint venture of North Korea and Thailand.

Cisco Talos observed use of vulnerability in attacks conducted by Group 123.

According to FireEye, after successful exploitation of the vulnerability the system is infected with DOGCALL malware.

Cisco Talos specialists also reported cyberattacks using the malicious software, which they called Rokrat.

As revealed by security experts for Morphisec Labs Michael Gorelik and Assaf Kachlon the vulnerability has been used in a watering hole attack against Hong Kong Telecommunications company.

Known malware:

DOGCALL
Rokrat

Vulnerability details

Advisory: SB2018020120 - Remote code execution in Adobe Flash Player

Vulnerable component: Adobe Flash Player

CVE-ID: CVE-2018-4878

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-416 - Use After Free

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error when processing .swf files. A remote attacker can execute arbitrary code on the target system.

Note: this vulnerability is being actively exploited in the wild against the latest version of Adobe Flash Player.

UPDATE: The vendor has issued the fixed version on February 6, 2018.

Latest references in media:

- Less than five per cent of the Internet uses Adobe Flash now | TheINQUIRER [2018-04-20 12:51:37]

- Security Affairs newsletter Round 158 тАУ News of the week [2018-04-15 10:47:10]

- APT Trends report Q1 2018 [2018-04-12 12:03:56]

- Booby-trapped Office docs build with ThreadKit trigger CVE-2018-4878 flaw [2018-04-10 10:20:37]

- Microsoft Patch Tuesday, February 2018 [2018-04-05 15:31:30]

- Flash Zero Day (CVE-2018-4878) [2018-04-05 15:30:58]

- Security Affairs newsletter Round 156 тАУ News of the week [2018-04-01 12:05:15]

- MS Office Document Exploit Kit Distributing New Exploits and Malware [2018-03-31 07:37:08]

- Microsoft Patch Tuesday, February 2018 [2018-03-29 04:07:08]

- Flash Zero Day (CVE-2018-4878) [2018-03-29 04:06:01]

- New ThreadKit exploit builder used to spread banking Trojan and RATs [2018-03-28 14:43:53]

- New "ThreadKit" Office Exploit Builder Emerges [2018-03-27 17:40:49]

- Experts uncovered a watering hole attack on leading Hong Kong Telecom Site exploiting CVE-2018-4878 flaw [2018-03-27 09:38:43]

- Watering Hole Attack Exploits North Korea's Flash Flaw [2018-03-26 18:50:37]

- Microsoft Patch Tuesday, February 2018 [2018-03-26 00:24:56]

- Flash Zero Day (CVE-2018-4878) [2018-03-26 00:24:31]

- Hermes Ransomware - Distributed through Malicious Office Documents [2018-03-17 08:03:31]

- Hidden Cobra - Cybercrime Group Targeting Financial Sectors [2018-03-12 07:55:19]

- North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware [2018-03-10 08:03:59]

- Hidden Cobra Coils and Strikes at Turkish Banks [2018-03-08 21:43:15]

- Google Patches 11 Critical Bugs in March Android Security Bulletin [2018-03-06 19:35:18]

- Security Affairs newsletter Round 152 тАУ News of the week [2018-03-05 14:08:33]

- Massive Malspam Campaign Targets Unpatched Systems [2018-02-28 00:00:14]

- Recently patched CVE-2018-4878 Adobe Flash Player flaw now exploited by cybercriminals [2018-02-27 20:02:23]

- North Korea hacking group is expanding operations, researchers say [2018-02-27 01:52:12]

- Adobe Flash Vulnerability Reappears in Malicious Word Files [2018-02-26 22:40:03]

- North Korea's Flash Player Flaw Now Exploited by Cybercriminals [2018-02-26 21:10:19]

- North Korean Reaper APT uses zero-day vulnerabilities to spy on governments | ZDNet [2018-02-21 12:50:04]

- Microsoft Patch Tuesday, February 2018 [2018-02-13 01:00:00]

- Flash Zero Day (CVE-2018-4878) [2018-02-13 01:00:00]

- North Korean APT Group tracked as APT37 broadens its horizons [2018-02-21 07:40:16]

- North Korean Threat Widens to Target Multinationals [2018-02-20 23:41:06]

- APT37 (Reaper): The Overlooked North Korean Actor [2018-02-20 14:40:01]

- Microsoft, Adobe February 2018 security updates: An overview [2018-02-14 12:41:16]

- February Patch Tuesday Is a Bouquet of Fixes for Privilege Escalation Vulnerabilities [2018-02-14 11:32:02]

- Cybersecurity week Round-Up (2018, Week 6) [2018-02-12 16:22:47]

- Security Affairs newsletter Round 149 тАУ News of the week [2018-02-11 15:50:06]

- A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations [2018-02-09 16:11:33]

- Researchers spotted a new Adobe Flash Player zero-day exploit in the wild that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea. [2018-02-08 12:30:02]

- North Korean APT Group Employed Rare Zero-Day Attack [2018-02-08 00:20:03]

- Adobe patches Flash zero-day being 'exploited by North Korean hackers' | TheINQUIRER [2018-02-07 17:50:10]

- Windows security: Microsoft issues Adobe patch to tackle Flash zero-day | ZDNet [2018-02-07 15:32:13]

- Adobe Issues Emergency Fix to Foil North Korean Hackers [2018-02-07 11:00:03]

- Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea [2018-02-07 09:00:06]

- Adobe: Two critical Flash security bugs fixed for the price of one [2018-02-06 21:30:02]

- Adobe Patches Flash Zero-Day Used in South Korean Attacks [2018-02-06 21:20:02]

- Adobe Patches Flash Zero-Day Exploited by North Korean Hackers [2018-02-06 18:11:37]

- Adobe Flash Zero-Day Spotted in the Wild [2018-02-05 22:21:08]

- Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild [2018-02-05 19:50:11]

- About the Flash zero-day currently exploited in the wild [2018-02-05 13:24:29]

- Flash Zero-Day Attacks Analyzed by FireEye, Cisco [2018-02-05 06:40:11]

- South Korea identifies Flash 0-day in the wild | ZDNet [2018-02-05 03:50:09]

- Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) тАУ Threat Attribution, Attack Scenario and Recommendations [2018-02-03 03:30:02]

- Adobe warns of Flash zero-day, patch to come next week [2018-02-02 18:30:52]

- Attackers Exploiting Unpatched Flaw in Flash [2018-02-02 15:50:53]

- Adobe acknowledges Flash zero-day that's been exploited since November | TheINQUIRER [2018-02-02 12:11:31]

- Researchers spotted a new Adobe Flash Player zero-day exploit in the wild that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea. [2018-02-02 07:20:03]

- Adobe to Patch Flash Zero-Day Discovered in South Korean Attacks [2018-02-02 00:00:03]

- South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks [2018-02-01 23:32:34]

- Adobe Flash Player Zero-Day Spotted in the Wild [2018-02-01 21:50:41]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.