Adobe Flash has been the bane of IT security pros for years. Adobe has tried to keep ahead of Flash vulnerabilities by getting patches out in timely manner. Unfortunately, Flash security problems continue.
One example is a Flash zero-day exploit uncovered by Kaspersky Lab that enables attackers to deliver FinSpy malware disguised in a Microsoft Office document.
The FinSpy malware and other FinFisher products are made by Gamma International and sold to governments and other law enforcement agencies to conduct surveillance. The latest version includes added anti-analysis techniques that make it hard to analyze the malware.
Kaspersky suspects that the attackers are part of the BlackOasis cyberattack group because of similarities in this most recent payload with other attacks carried out by the group. Kaspersky also suspects that another FinSpy attack uncovered by FireEye in September is the work of BlackOasis because the attackers used the same command and control server.
The security firm explained that the Flash exploit is a memory corruption vulnerability enabling attackers to gain arbitrary read/write operations within memory.
BlackOasis targets include people involved in Middle Eastern politics, including UN officials, opposition activities, and regional news correspondents.
“We estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies,” Kaspersky researchers wrote in a SecureList blog post.
“One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace,” they noted.
“We believe the number of attacks relying on FinFisher software, supported by zero-day exploits such as the ones described here will continue to grow,” they concluded.
The Kaspersky researchers advised organizations to disable Flash, although this may difficult to do and disable applications that rely on Flash, and to deploy a multi-layered approach to security, including strict access policies, anti-virus software, network monitoring, and application whitelisting.
Kaspersky informed Adobe about the Flash exploit, and the company released a patch.