Adobe kills a North Korean hacking group’s first zero-day

Adobe patched a Flash Player zero-day flaw used by suspected North Korean hackers to install malware on PCs south of the demilitarized zone. 

The suspected North Korean hacking group, known as Group 123, has lost its first known zero-day exploit for infecting systems with ROKRAT, a remote administration tool used to spy on South Korean targets as well as destroy data on infected systems.

Adobe last week warned users that a previously unknown Flash Player flaw, tagged as CVE-2018-4878, was being used in targeted attacks against Windows users. The flaw allowed remote attackers to execute code on target systems. 

The attackers, which Cisco’s Talos researchers identified as Group 123, embedded a malicious SWF Flash file in Excel documents and sent them to South Korean targets by email. 

Alongside Adobe’s initial advisory South Korea’s computer emergency response team, KrCERT, warned locals it had seen the un-patched Flash Player flaw being used inside Office documents. Adobe credited KrCERT with reporting the issue. 

The update for Flash Player on Windows, Macintosh, Linux and Chrome OS moves Adobe’s media player to version Adobe generally times its Flash Player updates to coincide with Microsoft’s Patch Tuesday updates, but occasionally releases outside that cycle when needed.   

Most Windows users don’t need to worry about the immediate threat posed by this flaw, however that may change over time. 

Flash Player flaws once were favored by cybercriminals to compromise desktops but have been less frequently targeted since Google, Apple, Microsoft and Mozilla began restricting Flash and defaulting to HTML5 instead. Adobe and major browser makers have nonetheless agreed to support Flash Player until the end of 2020. 

Google will fully remove Flash support in December 2020 in some version above Chrome 87, but has three milestones to reach before the final nail in the coffin.

Read more: Companies with Apple and Cisco kit eligible for cheaper cyber insurance

But Adobe’s patch shows Flash flaws are still useful to a different audience than typical cybercriminals, in this case a suspected state-sponsored hacker group that wants to deliver a RAT. 

Cisco’s Talos malware researchers in January detailed six hacking campaigns carried out in 2017 by Group 123 to deliver ROKRAT. The campaigns mostly showed the RAT was capable of remotely manipulating data on targeted systems, but in one instance it was used to wipe disks. The campaigns used known flaws in Office and a Korean productivity software product, however, none of the attacks used a zero-day exploit. 

That changed with CVE-2018-4878, according to Talos researchers Warren Mercer and Paul Rascagneres. 

“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT — they have used an Adobe Flash 0-day which was outside of their previous capabilities,” the researchers wrote.  

“[Group 123] did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags adobecisconorth koreaflash player

More about AdobeAppleCiscoExcelGoogleLinuxMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts