It has been reported that Security researchers have discovered a new Adobe Flash vulnerability that has already been exploited by hackers to deploy the latest version of FinSpy malware on targets. Kaspersky Lab researchers said a hacker group called BlackOasis has already taken advantage of the zero-day exploit – CVE-2017-11292 – to deliver its malicious payload via a Microsoft Word document.
Once the Flash vulnerability has been exploited and the FinSpy malware is installed on the targeted computer, the spyware “establishes a foothold on the attacked computer and connects to its command and control servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data,” researchers said.
The hacking group has also shown interest in international activists and think tanks, researchers noted. Kaspersky said victims have so far been observed in Russia, Iraq, Afghanistan, Saudi Arabia, Iran, Nigeria, Libya, Jordan, Tunisia, Bahrain, Angola, the United Kingdom and the Netherlands. Lee Munson, Security Researcher at Comparitech.com commented below.
Lee Munson, Security Researcher at Comparitech.com:
“The latest Adobe Flash vulnerability is interesting in that it appears to have been exploited for information gathering rather than financial profit.
With the delivered FinSpy malware being well known for its use in surveillance by law enforcement agencies and nation states, it would seem the BlackOasis group may be working on behalf of one or more governments.
Companies, government departments and individuals rightfully concerned about spying and, indeed, malware in general, would do well not to wait until the pre-planned death of Flash in 2020 and should, instead, kill it dead and remove it from all their devices right now.
For those who cannot live without it, there is no time like the present for grabbing the available patch and installing it right away.”
Chris Doman, Security Researcher at AlienVault:
“FinSpy / FinFisher is a product of Gamma International, and has a number of customers in the Middle East and South America. They have attracted controversy for selling FinSpy to regimes with poor human rights records.
Gamma continue to sell their products to governments around the world, and we’ll continue to see these attacks reported. There is a growing market for well-resourced countries to build their collection capabilities.
There is an official FinFisher website that describes some of the capabilities. Stolen and leakedSecurity Experts documents from 2014 provide more detail.
Microsoft track these attacks under the name Neodymium and there have been a number of reports on their activities recently.
Last month attacks involving the same malware were reported being delivered by ISPs. That would indicate those attacks were been directed at the government level for domestic targeting.