New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

RUS:

Исследователи кибербезопасности обнаружили новую ноу-дневную уязвимость в Adobe Flash Player, которую хакеры активно используют в дикой природе в рамках целевой кампании, похоже, атакуют российское государственное медицинское учреждение.

Уязвимость, отслеживаемая как CVE-2018-15982 , представляет собой неиспользованный недостаток в Flash Player, который, если он был успешно использован, позволяет злоумышленнику выполнить произвольный код на целевом компьютере и в конечном итоге получить полный контроль над системой.

Недавно обнаруженный флеш-плеер с нулевым дневным эксплойтом был обнаружен на прошлой неделе исследователями внутри вредоносных документов Microsoft Office, которые были отправлены в онлайн-многосерверную службу сканирования вредоносных программ VirusTotal с украинского IP-адреса.

Вредоносные документы Microsoft Office содержат встроенный элемент управления Flash Active X в своем заголовке, который отображает, когда целевой пользователь открывает его, что вызывает использование уязвимости Flash Player.

Согласно исследователям кибербезопасности, ни файл Microsoft Office (22.docx), ни эксплойт Flash (внутри него) сами не содержат конечную полезную нагрузку для управления системой.

Вместо этого конечная полезная нагрузка скрывается внутри файла изображения (scan042.jpg), который сам является файлом архива, который был упакован вместе с файлом Microsoft Office внутри родительского архива WinRAR, который затем распространяется через электронные письма с копьем.

При открытии документа эксплоит Flash выполняет команду в системе, чтобы разблокировать файл изображения и запустить конечную полезную нагрузку (то есть backup.exe), которая была защищена VMProtect и запрограммирована на установку бэкдора, способного:

  • мониторинг активности пользователя (клавиатура или перемещение мыши)
  • сбор информации о системе и отправка ее на удаленный сервер управления и управления (C & C)
  • выполнение шеллкода,
  • загрузка PE в память,
  • загрузка файлов
  • выполнить код и
  • совершая самоуничтожение.

Исследователи из Gigamon Applied Threat Research и китайской кибербезопасности Qihoo 360 Core Security , которые заметили и назвали вредоносную кампанию «Operation Poison Needles», не приписали атаку любой взломанной государством группе хакеров.

Однако, поскольку злонамеренные документы, о которых идет речь, претендуют на то, чтобы быть заявкой на работу в российскую государственную клинику здравоохранения, которая связана с Администрацией Президента России и была загружена на VirusTotal с украинского IP, исследователи полагают, что нападавшие могут быть из Украины, учитывая политическая напряженность между двумя странами.

Уязвимость влияет на версии Adobe Flash Player версии 31.0.0.153 и более ранних версий для продуктов, включая Flash Player Desktop Runtime, Flash Player для Google Chrome, Microsoft Edge и Internet Explorer 11. Установщик Adobe Flash Player версии 31.0.0.108 и более ранних версий также затронут.

Исследователи сообщили об использовании флеш-ноль-дня в Adobe 29 ноября, после чего компания подтвердила эту проблему и выпустилаобновленная версия Adobe Flash Player 32.0.0.101 для ОС Windows, MacOS, Linux и Chrome OS; и установщик Adobe Flash Player версии 31.0.0.122.

Обновления безопасности включают исправление для сообщения об ошибке «нулевой день», а также исправление «важной» уязвимости, связанной с удалением DLL (CVE-2018-15983), которая может позволить злоумышленникам получить эскалацию привилегий через Flash Player и загрузить вредоносную DLL.



ENG:

Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign appears to be attacking a Russian state health care institution.

The vulnerability, tracked as CVE-2018-15982, is a use-after-free flaw resides in Flash Player that, if exploited successfully, allows an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system.

The newly discovered Flash Player zero-day exploit was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal from a Ukrainian IP address.

The maliciously crafted Microsoft Office documents contain an embedded Flash Active X control in its header that renders when the targeted user opens it, causing exploitation of the reported Flash player vulnerability.

According to cybersecurity researchers, neither the Microsoft Office file (22.docx) nor the Flash exploit (inside it) itself contain the final payload to take control over the system.

Instead, the final payload is hiding inside an image file (scan042.jpg), which is itself an archive file, that has been packed along with the Microsoft Office file inside a parent WinRAR archive which is then distributed through spear-phishing emails.

Upon opening the document, the Flash exploit executes a command on the system to unarchive the image file and run the final payload (i.e., backup.exe) which has been protected with VMProtect and programmed to install a backdoor that is capable of:

  • monitoring user activities (keyboard or moves the mouse)
  • collecting system information and sending it to a remote command-and-control (C&C) server,
  • executing shellcode,
  • loading PE in memory,
  • downloading files
  • execute code, and
  • performing self-destruction.

Researchers from Gigamon Applied Threat Research and Chinese cyber-security firm Qihoo 360 Core Security, who spotted and named the malware campaign as "Operation Poison Needles," have not attributed the attack to any state-sponsored hacking group.

However, since the maliciously crafted documents in question purport to be an employment application for a Russian state healthcare clinic that is affiliated to the Presidential Administration of Russia and was uploaded on VirusTotal from a Ukrainian IP, researchers believe the attackers could be from Ukraine, considering the political tension between the two countries.

The vulnerability impacts Adobe Flash Player versions 31.0.0.153 and earlier for products including Flash Player Desktop Runtime, Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe Flash Player Installer versions 31.0.0.108 and earlier is also affected.

Researchers reported the Flash zero-day exploit to Adobe on November 29, after which the company acknowledged the issue and released updated Adobe Flash Player version 32.0.0.101 for Windows, macOS, Linux, and Chrome OS; and Adobe Flash Player Installer version 31.0.0.122.

The security updates include a patch for the reported zero-day flaw, along with a fix for an "important" DLL hijacking vulnerability (CVE-2018-15983), which could allow attackers to gain privilege escalation via Flash Player and load a malicious DLL.

Hacker{Man and Girl}
December 6, 2018
23

WhiteSource Bolt for GitHub: Free Open Source Vulnerability Management App for Developers


Developers around the world depend on open source components to build their software products. According to industry estimates, open source components account for 60-80% of the code base in modern applications.


Collaboration on open source projects throughout the community produces stronger code, squashing the bugs and catching the vulnerabilities that impact the security of organizations who look to open source components as the key to their application building success.


Thanks in part to the "thousand eyeballs" of the community, the number of reported vulnerabilities in open source projects is on the rise, spiking 51% in 2017 from the previous year.


This is even more concerning since, as shown in the same study, most vulnerabilities are found in popular projects. Data shows that 32% of the top 100 open source projects have at least one vulnerability, meaning that developers have their work cut out for them, no matter which components they are using in their products.


While it is better to know about vulnerabilities that remain in the dark, giving teams the opportunity to patch before being exploited by hackers, keeping up with the workload of remediating vulnerable components can pose a significant challenge for organizations.


The answer would appear to embrace the shift-left model that has long been associated with DevOps, extending the approach to incorporating security practices early in the software development lifecycle.


Security starts with developers, from their creation of the code through the post-deployment remediations where fixing vulnerabilities can be quite time-consuming.


According to our recent survey on challenges facing developers in using open source, respondents reported that they spend 15 hours a month on average dealing with open source vulnerabilities.


While in itself a significant chunk of time, what was surprising was that only 3.8 of these hours actually went towards the work of remediating the vulnerabilities, apparently, the rest of the time was spent trying to understand where to start in tackling the vulnerabilities.


Addressing The Challenge Of Finding And Fixing Vulnerable Open Source Components


Ideally, developers should be able to know early on in their process if a component that they want to use for their product has any known vulnerabilities associated with it before they commit it to their code.


By catching issues before they become a part of the product, developers can save themselves plenty of time that would otherwise be spent before a release, swapping out the vulnerable component and reconfiguring their product that has been built on top of the risky component.


Considering the widespread use of open-source components and the exponential rise in the number of disclosed open source vulnerabilities, performing these checks for known vulnerabilities manually is not a viable option, particularly when developers hope to stick to a schedule without compromising on security.


What they need are automated tools, backed up by comprehensive databases of known vulnerabilities, that can quickly identify which open source components are being used and show the developer at a glance if they have any issues to contend with before making their push.


Introducing WhiteSource Bolt For GitHub



WhiteSource has launched a free tool to simplify working with open source for developers. WhiteSource Bolt is an app on GitHub's marketplace that can alert on vulnerable open source components in your repositories in real-time, provide detailed information and even suggest fixes.


This new offering helps developers use better and more secure open source components from the early stages of coding and, most importantly, provides security alerts to the environment where developers are actually working - GitHub.


The app scans public and private repositories to identify open source components with known vulnerabilities. Security alerts auto-generate issues within GitHub where the user can view important details such as references for the CVE, its CVSS rating, a suggested fix, and other information that can help them to help plan their remediations.


There is even an option to assign the vulnerability to another team member using the milestones feature.


For most developers, GitHub is the first place to go to when looking for a solution to a problem, providing them with the right library or framework to get the job done.


With Bolt for GitHub, WhiteSource gives developers the slimmed down version of our enterprise-level product for free, making it easier for developers to work securely.


By offering this free tool for developers on GitHub, WhiteSource hopes to make open source security simpler, integrating it into the workflow that is already an instinctive part of how developers write code.


By integrating directly into GitHub’s platform, developers can ensure the security of their products without ever having to leave the page.


To get started with this free tool, follow this link to download the application.

t.me/hamangirl

December 6, 2018
9
Show more