North Korea Uses Adobe Flash Zero-Day to Target South

Skybox Blog TeamFeb 6, 2018

On January 31, an Adobe Flash zero-day vulnerability was identified by the South Korea’s KISA (KrCERT/CC). North Korean threat actors were targeting South Korean entities. It was exploited in the wild since as early as November 14, 2017. Today, seven days after the publication of the Flash zero-day, Adobe published APSB18-03 that resolves this issue.

  • Flash Zero-Day

The vulnerability, CVE-2018-4878, is a critical remote code execution (RCE) vulnerability in all published versions of Adobe Flash (version and earlier) running on all operating systems. It also affects Adobe Flash embedded in Microsoft Internet Explorer and Microsoft Edge. Adobe has released a patch to resolve this the Flash zero-day, bundled with another critical RCE vulnerability — CVE-2018-4877.

  • Distribution Method

The exploit is distributed via social engineering, enticing a user to open a malicious email or a document with an embedded SWF file, or that contains an Excel spreadsheet. This would lead the user to download malware from compromised websites.

  • North Korean Threat Actors

FireEye iSIGHT Intelligence and Cisco assess that a North Korean hacker group tracked by them — dubbed TEMP.Reaper and Group 123 — is behind the exploitation of this vulnerability. The group appears to be using TTPs that were previously used by the North Korean threat actor at the nation-state level.

  • Targets and the DOGCALL Malware

So far, the main victims have been South Korean targets who have been affected by malware hosted on third–party South Korean sites, most likely a malware named DOGCALL (aka ROKRAT). DOGCALL is a remote access Trojan that opens a back door on the compromised computer. It may also download potentially malicious files and steal information, meaning the threat actor can do pretty much everything on the compromised computer.

As this vulnerability is still unpatched on most machines, other threat actors may adopt this exploit very quickly for other targets as well.

  • What Users Should Do

Install the Adobe patch APSB18-03 and continue to track the vulnerability details, as more information and mitigation options becomes available.

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More