The prolific Fancy Bear hackers, also known as APT28 and Sofacy, are racing to exploit the recently-announced Adobe Flash bug, before patches are widely deployed. The Kremlin-linked group, widely considered to be behind the cyberattacks against the US Democratic Party during the 2016 US presidential elections, as well as numerous other cyberespionage campaigns, is now targeting foreign government entities "equivalent to the US State Department", as well as private businesses in the aerospace industry.
According to security experts at Proofpoint, who identified the Fancy Bear's new campaign, the hackers appear to be going after targets in Europe and the US. The zero-day exploit, which according to Kaspersky Lab researchers was previously being exploited by a hacker group called BlackOasis, was made public and patched on 16 October.
However, Proofpoint security researchers suspect that the Fancy Bear hackers also have possession of the exploit, which is likely to have been "purchased, discovered on their own, or reverse-engineered from the BlackOasis attack".
As part of their new campaign, the Russian hackers sent out a limited number of emails with a malicious document titled "World War 3: North Korea claims 'terrorist' US 'PUSHED' Pyongyang to create nuclear bomb".
"This malicious document embeds the same Flash object twice in an ActiveX control for an unknown reason, although this is likely an operational mistake. The Flash files work in the same manner as the last known attack using this tool: the embedded Flash decompresses a second Flash object that handles the communication with the exploit delivery server," Proofpoint researchers said in a blog.
"The only difference is that this second Flash object is no longer stored encrypted. There are other signs that this campaign was devised hastily: for example, the actors did not change the decryption algorithm constants as they have in the past."
The campaign targets those using Windows 7, Windows 10 build and Microsoft Office 2013. However, Mac OS users, as well as those using 64-bit versions of Microsoft Office 2016 and Windows 10 RS3, should be protected from the bug.
"APT28 appears to be moving rapidly to exploit this newly-documented vulnerability before the available patch is widely deployed. Because Flash is still present on a high percentage of systems and this vulnerability affects all major operating systems, it is critical that organisations and end users apply the Adobe patch immediately," Proofpoint researchers added.
"APT28 is a sophisticated state-sponsored group that is using the vulnerability to attack potentially high-value targets but it is likely that other threat actors will follow suit and attempt to exploit this vulnerability more widely, whether in exploit kits or via other attack vectors."