Blog

North Korea Uses Adobe Flash Zero-Day to Target South

Skybox Blog TeamFeb 6, 2018

On January 31, an Adobe Flash zero-day vulnerability was identified by the South Korea’s KISA (KrCERT/CC). North Korean threat actors were targeting South Korean entities. It was exploited in the wild since as early as November 14, 2017. Today, seven days after the publication of the Flash zero-day, Adobe published APSB18-03 that resolves this issue.

  • Flash Zero-Day

The vulnerability, CVE-2018-4878, is a critical remote code execution (RCE) vulnerability in all published versions of Adobe Flash (version 28.0.0.137 and earlier) running on all operating systems. It also affects Adobe Flash embedded in Microsoft Internet Explorer and Microsoft Edge. Adobe has released a patch to resolve this the Flash zero-day, bundled with another critical RCE vulnerability — CVE-2018-4877.

  • Distribution Method

The exploit is distributed via social engineering, enticing a user to open a malicious email or a document with an embedded SWF file, or that contains an Excel spreadsheet. This would lead the user to download malware from compromised websites.

  • North Korean Threat Actors

FireEye iSIGHT Intelligence and Cisco assess that a North Korean hacker group tracked by them — dubbed TEMP.Reaper and Group 123 — is behind the exploitation of this vulnerability. The group appears to be using TTPs that were previously used by the North Korean threat actor at the nation-state level.

  • Targets and the DOGCALL Malware

So far, the main victims have been South Korean targets who have been affected by malware hosted on third–party South Korean sites, most likely a malware named DOGCALL (aka ROKRAT). DOGCALL is a remote access Trojan that opens a back door on the compromised computer. It may also download potentially malicious files and steal information, meaning the threat actor can do pretty much everything on the compromised computer.

As this vulnerability is still unpatched on most machines, other threat actors may adopt this exploit very quickly for other targets as well.

  • What Users Should Do

Install the Adobe patch APSB18-03 and continue to track the vulnerability details, as more information and mitigation options becomes available.

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions. Though you can't see our faces, rest assured: we're all really, really good looking.

Recent Posts

Salt Vulnerabilities Exploited with Targeted Cryptomining Attack on DigiCert
Read More
Careful Compassion: How COVID-19 has Affected Regulatory Compliance
Read More
How will COVID-19 Impact Digital Transformation?
Read More
The Evolution of Ransomware: What to Expect in 2020 and Beyond
Read More
How Network Visibility and Context Simplifies Cybersecurity Management
Read More
Important Update on Skybox Security in light of COVID-19
Read More