Adobe warns: Cyberespionage group targeting critical Flash bug

Enterprises should disable Flash or deploy Microsoft's EMET until Adobe's promised patch arrives

The hand-wringing over enterprises no longer being able to rely on Microsoft's Enhanced Mitigation Experience Toolkit (EMET) to block software exploits appears to have been premature: A new cyberespionage outfit is targeting a critical vulnerability in Adobe's Flash Player and EMET is effectively mitigating the attacks.

Adobe has warned that a critical vulnerability in Flash Player (CVE-2016-4171) is currently being exploited in limited targeted attacks. The flaw exists in the latest Flash version and earlier for Windows, MacOS, Linux, and Chrome OS. A patch is expected later this week as part of the monthly security bulletin.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its brief security advisory.

New advanced persistent threat (APT) group ScarCruft has been using the Flash zero-day against high-profile victims in Russia, Nepal, South Korea, China, India, Kuwait, and Romania since March, said Kaspersky Lab, who discovered the exploit and reported the vulnerability to Adobe. The APT group has been targeting companies and organizations for high-value information and data as part of Operation Daybreak. Kaspersky Lab held back details of ScarCruft's ongoing campaign targeting the vulnerability, but recommended enterprises use EMET.

 "We confirm that Microsoft EMET is effective at mitigating the attacks," said Costin Raiu, director of global research and analysis team at Kaspersky Lab.

Microsoft released EMET in 2009 to enforce modern exploit mitigation mechanisms such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF), and Export Address Table Access Filtering Plus (EAF+) in legacy applications that don't have them. By deploying EMET on the endpoint, enterprises make it harder for attackers to exploit flaws in certain programs on those systems. Enterprises have benefited from deploying EMET as a line-of-defense for attacks targeting zero-day vulnerabilities in Flash, Silverlight, and a handful of other technologies. With EMET, enterprises were able to protect the endpoints while waiting for the vendor-supplied patch.

Earlier this week, FireEye researchers observed that Silverlight and Flash Player exploits capable of evading EMET have been added to the Angler exploit kit. This isn't the first time exploit kits and malware have successfully bypassed EMET, but the alarm was related to the fact that Angler is widely popular in the criminal underground. Angler has been seen in various web-based attacks such as malvertising, ransomware, and other drive-by downloads.

However, just because Angler and other exploits are adding EMET bypasses doesn't mean enterprises should abandon EMET. Exploit kits are increasingly becoming more sophisticated, but EMET is still effective against zero-day vulnerabilities. Enterprises should not rely on EMET exclusively to protect applications, but should continue to use EMET as part of a robust vulnerability management program.

And as always, if the system doesn't need Flash, remove it. Many browsers are set up to disable Flash Player or make it click-to-play. There's no need to have a potentially vulnerable application on a system that doesn't use it, so close off  that avenue of attack, if possible.

Join the CSO newsletter!

Error: Please check your email address.

More about APTFireEyeKasperskyLinuxMicrosoftToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place