UK’s Gamma Group Continues to Fuel International Espionage – Now Using Flash Player Exploits
Adobe didn't send any security updates on Patch Tuesday last week - a surprising move since the company sends numerous bug fixes every single month. While many hoped that attackers have probably stopped looking for any new vulnerabilities in the Flash Player considering it's to officially die soon, it appears that even the most elite attackers keep using it to deliver malicious files.
The company has now released a patch for a zero-day vulnerability that is being used in the wild to plant surveillance software developed by the infamous Gamma International.
Adobe fixes a critical flaw that was exploited to deliver FinSpy surveillance software
Last week, Adobe said that it wouldn't release security updates for Adobe Flash Player, something that hasn't happened since 2012. While many hoped the month will go by without any fixes coming to the Player, a security vulnerability revealed by Kaspersky pushed Adobe to fix a zero-day flaw that was being exploited by the advanced persistent threat (APT) group, BlackOasis.
Tracked as CVE-2017-11292, the issue is a critical type confusion that enables attackers to execute code remotely on targeted systems. The company's security advisory reads that Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Flash Player for Microsoft Edge, and Internet Explorer 11 are all affected by the vulnerability. The problem affects Flash Player 188.8.131.52 on Windows, Linux, macOS, and Chrome OS and has now been fixed with Flash Player version 184.108.40.206.
Companies like UK's Gamma International "make this arms race possible"
Gamma International is popular for its "lawful" FinSpy surveillance software that it sells to governments worldwide (including authoritarian regimes) to monitor the activities of dissidents, journalists and just about anyone they want. An APT group named BlackOasis is now using this freshly fixed Flash Player flaw to deliver FinSpy through a malicious Microsoft Word document. BlackOasis is believed to be operating out of a Middle Eastern country.
Discovered by Kaspersky Lab's Anton Ivanov, the company said that "in the past, use of the malware was mostly domestic, with law enforcement agencies deploying it for surveillance on local targets." However, BlackOasis using FinSpy - a typical government tool - is a "significant exception" as it may be using the surveillance software "against a wide range of targets across the world."
"This appears to suggest that FinSpy is now fuelling global intelligence operations, with one country using it against another. Companies developing surveillance software such as FinSpy make this arms race possible."
BlackOasis has used Flash Player zero-day flaws to attack targets multiple times in the past, going back to at least early 2015. "The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye," Kaspersky added.
The company wrote that it has been tracking the APT since May 2016. While it can't be known who the group targeted with this particular exploit, BlackOasis has previously targeted prominent figures in the civil society and opposition bloggers and activists in several countries, including Bahrain, Jordan, Saudi Arabia, Iran, Russia, Netherlands, United Kingdom, and others.