Adobe Flash Vulnerability Used by APT 28

The APT group, APT28 (aka FancyBear), are attempting to use an Adobe Flash Zero Day exploit which was first identified on 10 October 2017. The exploit is delivered via a phishing email and Microsoft Office Document attachment which contains an updated version of the FinSpy malware.

Threat ID:: CC-1720
Category:: Spyware, Exploit
Threat Severity:: Medium
Threat Vector:: Phishing
Published:: 23 October 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Adobe Flash Player

Adobe Flash Player version 27.0.0.159

Threat details

The exploit is delivered via a phishing email and Microsoft Office Document attachment which contains an updated version of the FinSpy malware. The zero day has been assigned a CVE-2017-11292 designation by Adobe.

The recent CVE-2017-11292 exploit is a memory corruption vulnerability which resides in the "com.adobe.tvsdk.mediacore.BufferControlParameters" class which allows the execution of a second stage payload which performs the following actions:

Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe
Download a lure document to display to the victim from the same IP
Execute the payload and display the lure document

Remediation steps

Type	Step
	Disable flash if it is not required for business functions. Ensure patches and updates are installed in a timely manner. Killbit for Flash can be used to disable it in related applications. However carrying this action out system wide is problematic as Flash objects can be loaded in applications that potentially do not follow the killbit.

CVE Vulnerabilities

Status

CVE-2017-11292

Last edited: 17 February 2020 11:25 am