Malicious Spreadsheets With Embedded Flash Trace to North Korean Attackers
Wary of nation-state attackers, government malware developers, criminals or bored teenagers wielding automated attack tools? Stop using Adobe Flash.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
That’s the obvious takeaway following the news that a group of attackers with apparent ties to the government of North Korea have been exploiting a zero-day vulnerability in the Flash browser plug-in.
On Tuesday, Adobe released new versions of Flash for Windows, Macintosh, Linux and Chrome OS that include a patch for the flaws, both of which are use-after-free vulnerabilities designated CVE-2018-4877 and CVE-2018-4878.
Affected Versions of Flash
For both flaws, “a successful attack can lead to arbitrary code execution,” the Common Vulnerabilities and Exposures database warns, meaning that hackers could remote seize control of a system and seize all of its data.
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,” reads an Adobe security alert released Tuesday. “These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
Credit for finding CVE-2018-4878 goes to South Korea’s Internet and Security Agency KISA, aka KrCERT/CC, which published a security alert on Jan. 31. It recommended removing all instances of Flash Player until a patch was available.
This is not the first time that security experts have warned individuals and organizations that use Flash to immediately remove the plug-in from their systems (see Emergency Flash Patch Battles Ransomware).
In fact for years, the prevailing security wisdom has been that unless organization or individuals can identify a solid business reason for using Flash, it would be safer to avoid it (see 2016 Resolution: Ditch Flash).
Flash-Carrying Excel Spreadsheet Attacks
On Friday, information security researchers at Cisco’s Talos group reported that it had recovered a malicious Microsoft Excel spreadsheet, written in Korean, that exploits CVE-2018-4878 via an embedded Flash object. Simply opening the document can allow it to download a malware payload from several compromised South Korea websites and then execute it.
How Attacks Proceed
“We identified that the downloaded payload is the well-known remote administration tool named ROKRAT,” the Cisco Talos researchers write in a blog post. The RAT, which they discovered last April, is now well known and “is particularity used with cloud platforms in order to exfiltrate documents and manage infected systems,” they say.
Fake Anime at Work
ROKRAT has been previously seen in numerous attacks, including phishing campaigns that use malicious Word documents. It includes numerous capabilities designed to help it evade detection.
“Researchers found that ROKRAT has a feature to detect if the victim’s system is running any processes associated with malware detection, debugging tools, or sandbox environments,” researchers at security firm AlienVault said in a blog post published last year. “If detected, the malware will generate dummy HTTP traffic to legitimate websites, including Amazon and Hulu” – as well as Twitter – “to mask its malicious activities. To the untrained eye, the victim appears to be watching anime at work.”
Attacker: Group 123
Cisco Talos researchers say ROKRAT appears to be a tool developed and used by a hacking team designated “Group 123,” which appears to have ties to North Korea. Last month, the researchers said they’d traced at least six attack campaigns last year to the group. Targets included South Korean organizations as well as international organizations.
But Group 123 has never before been tied to the use of a zero-day vulnerability, they say, leading them to rate the hacking team as “highly skilled, highly motivated and highly sophisticated.”
Costin Raiu, director of Kaspersky Lab’s global research and analysis team, notes that each infection sends a unique ID to the compromised website, which returns a short decryption key that allows the attack to proceed. Without the decryption key, however, security researchers would likely have a difficult time analyzing the attack code.
No decryption key, no fun. Key server was at: hxxp://www[.]dylboiler[.]co[.]kr/admincenter/files/board/4/manager[.]php
— Costin Raiu (@craiu) February 2, 2018
Cisco is guessing attackers used their zero-day attack on prized targets. “Whilst Talos do not have any victim information related to this campaign, we suspect the victim has been a very specific and high value target,” they write. “Utilizing a brand new exploit, previously not seen in the wild, displays they were very determined to ensure their attack worked.”
Flash Set to Retire in 2020
The Flash-using campaign against South Koreans is a reminder that attackers can potentially exploit any software – including browser plug-ins – present on a PC.
But where browsers and plug-ins are concerned, security strides are being made. Since 2016, attacks launched via automated exploit kits, designed to infect websites with drive-by attack software that targets known vulnerabilities in browsers, have been in decline. Many experts say that’s thanks to security improvements on numerous fronts, including both browser makers plug-in makers strengthening their software and adding auto-update functionality. That’s left would-be attackers with fewer widely installed vulnerabilities that they can easily exploit en masse.
Adobe, meanwhile, last year signaled that it plans to retire Flash by 2020 due to declining usage and a move to HTML5.
For anyone concerned about being exploited via a known or as-yet-unknown flaw in the Adobe plug-in now or in the future, why wait for Flash’s retirement party?