Security researchers have discovered a new Adobe Flash vulnerability that has already been exploited by hackers to deploy the latest version of FinSpy malware on targets. Kaspersky Lab researchers said a hacker group called BlackOasis has already taken advantage of the zero-day exploit – CVE-2017-11292 – to deliver its malicious payload via a Microsoft Word document.
Kaspersky said BlackOasis used the previously unknown Flash flaw in an attack on 10 October.
Once the Flash vulnerability has been exploited and the FinSpy malware is installed on the targeted computer, the spyware "establishes a foothold on the attacked computer and connects to its command and control servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data," researchers said.
FinSpy, also known as FinFisher, is a commercial malware that is typically sold to nation states and law enforcement agencies for surveillance purposes. BlackOasis, on the other hand, has used it against a wide range of targets across the globe.
"This appears to suggest that FinSpy is now fuelling global intelligence operations, with one country using it against another," Kaspersky said. "Companies developing surveillance software such as FinSpy make this arms race possible. The malware used in the attack is the most recent version of FinSpy, equipped with multiple anti-analysis techniques to make forensic analysis more difficult."
According to Kaspersky's assessment, BlackOasis targets various figures involved in Middle Eastern politics, including key people in the United Nations, opposition bloggers, activists and regional news correspondents.
In 2016, researchers said they observed heavy interest in Angola "exemplified by lure documents indicating targets with suspected ties to oil, money laundering and other activities".
The hacking group has also shown interest in international activists and think tanks, researchers noted. Kaspersky said victims have so far been observed in Russia, Iraq, Afghanistan, Saudi Arabia, Iran, Nigeria, Libya, Jordan, Tunisia, Bahrain, Angola, the United Kingdom and the Netherlands.
Researchers believe that the BlackOasis group also targeted another zero-day exploit – CVE-2017-8759 – in September.
"The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities," Anton Ivanov, lead malware analyst at Kaspersky Lab, said.
"Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero-day exploits such as the one described here, will continue to grow."
Kaspersky notified Adobe of the vulnerability and the company has already issued an advisory and a patch to address the issue that affected Google's Chrome, Microsoft's Edge, Internet Explorer browsers and desktop versions.
The news comes after Adobe announced in July plans to retire its once pivotal Flash plugin by the end of 2020 that has since been replaced by website developers with alternatives such as HTML5 to display video and media.
Adobe's Flash player has suffered from a litany of software bugs in recent years that have been exploited by hackers in the past.