Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 23 May, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Kaspersky Lab discovers Adobe Flash Zero Day – used in the wild by a threat actor to deliver spyware

by The Gurus
October 17, 2017
in Editor's News
spyware
Share on FacebookShare on Twitter

Kaspersky Lab’s advanced exploit prevention system has identified a new Adobe Flash zero day exploit, used in an attack on 10 October by a threat actor known as BlackOasis. The exploit is delivered through a Microsoft Word document and deploys the FinSpy commercial malware. Kaspersky Lab has reported the vulnerability to Adobe, which has issued an advisory.
According to Kaspersky Lab researchers, the zero day, CVE-2017-11292, has been spotted in a live attack, and they advise businesses and government organisations to install the update from Adobe immediately.
The researchers believe that the group behind the attack was also responsible for CVE-2017-8759, another zero day, reported in September – and they are confident that the threat actor involved is BlackOasis, which Kaspersky Lab’s Global Research and Analysis Team began tracking in 2016.
Analysis reveals that, upon successful exploitation of the vulnerability, the FinSpy malware (also known as FinFisher) is installed on the target computer. FinSpy is a commercial malware, typically sold to nation states and law enforcement agencies to conduct surveillance. In the past, use of the malware was mostly domestic, with law enforcement agencies deploying it for surveillance on local targets. BlackOasis is a significant exception to this – using it against wide range of targets across the world. This appears to suggest that FinSpy is now fuelling global intelligence operations, with one country using it against another. Companies developing surveillance software such as FinSpy make this arms race possible.
The malware used in the attack is the most recent version of FinSpy, equipped with multiple anti-analysis techniques to make forensic analysis more difficult.
After installation, the malware establishes a foothold on the attacked computer and connects to its command and control servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data.
Based on Kaspersky Lab’s assessment, the interests of BlackOasis span a whole gamut of figures involved in Middle Eastern politics, including prominent figures in the United Nations, opposition bloggers and activists, as well as regional news correspondents. They also appear to have an interest in verticals of particular relevance to the region. During 2016, the company’s researchers observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering and other activities. There is also an interest in international activists and think tanks.
So far, victims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.
“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities. Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow,” said Anton Ivanov, the Lead Malware Analyst at Kaspersky Lab.
Kaspersky Lab security solutions successfully detect and block exploits utilising the newly discovered vulnerability.
Kaspersky Lab experts advise organisations to take the following action to protect their systems and data against this threat:

  • If not already implemented, use the killbit feature for Flash software and, wherever possible, disable it completely.
  • Implement an advanced, multi-layered security solution that covers all networks, systems and endpoints.
  • Educate and train personnel on social engineering tactics as this method is often used to make a victim open a malicious document or click on an infected link.
  • Conduct regular security assessments of the organisation’s IT infrastructure.
  • Use Kaspersky Lab’s Threat Intelligence that tracks cyberattacks, incident or threats and provides customers with up-to-date relevant information that they are unaware of. Find out more at [email protected].

For technical details, including indicators of compromise and YARA rules, please read the blogpost on Securelist.com.

FacebookTweetLinkedIn
Tags: cybersecurityfinfisherKasperskySpywaretechZero-day
ShareTweetShare
Previous Post

Google gives Chrome for Windows its own Antivirus

Next Post

Tripwire Survey: 72 Percent of Security Professionals Say Soft Skills Need Has Increased

Recent News

chinese flag

Chinese hackers caught spying on Russian defence institutes

May 23, 2022
doge coin

Cryptocurrency scammers use Elon Musk deep fake

May 23, 2022
hacker using computer

Conti ransomware group disbands

May 20, 2022
Xerox Corporation victim of Maze ransomware

Who is UNC1756 – the hacker threatening Costa Rica?

May 19, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information