Updates issued for Adobe Flash Player for Windows, macOS, Linux and Chrome OS address one “critical” and one “important” vulnerability.
Successful exploitation of the vulnerabilities could lead to arbitrary code execution and privilege escalation, Adobe said in a security bulletin.
However, researchers say the “critical” vulnerability (CVE-2018-15982) is already being exploited in the wild, revealing that it allows a maliciously crafted Flash object to execute code on a victim’s computer to gain command line access to the system.
The Gigamon ATR team said it reported the issue to Adobe on 29 November and Adobe acted quickly to reproduce the vulnerability and distribute a patch for its software on 5 December.
The “22.docx” document submitted to VirusTotal is a seven-page Russian language document that masquerades as an employment application for a Russian state healthcare clinic.
The attack scenario associated with this campaign is simple in nature, according to the researchers. The documents contain an embedded Flash Active X control in the header that renders upon opening the document and causes exploitation of the Flash player within Office.
After exploitation, a malicious command is executed that attempts to extract and execute an accompanying payload.
Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove it from web browsers, the researches said vectors such as Microsoft Office remain able to load and execute Flash content.
“As such, exploits against zero-day vulnerabilities that allow for command execution using relatively stock enterprise software are valuable,” they said.
The observed tradecraft and techniques in this new attack, from the exploit to the payload, are similar to that used by HackingTeam, the researchers said. These include similarities in the use of VMProtect to protect follow-on payloads, the similar use of digitally signed payloads and forged manifest metadata, and similarities in the use of zero-day exploits in Flash documents.
However, the researchers noted that although attribution will be difficult, it is not needed for detection purposes.
“At best, attribution could aid the victim’s organisation in determining intent and guiding response actions, but in reality, whether it is HackingTeam, an impersonator or completely unrelated, the fact remains that a valid zero-day might have been used to perform targeted exploitation against a victim,” they said.