Kaspersky Lab found a zero-day exploit on Adobe Flash back on October 10. A group by the name of BlackOasis was taking advantage of the flaw to covertly distribute a piece of spyware called FinSpy by sending it to targets in Microsoft Word email attachments.
The attack was sophisticated enough to fly under the radar at first, but Anton Ivanov, the Kaspersky researcher who found the scheme in the wild, warns that the vulnerability is widespread enough for hackers to exploit it and carry out this sort of attacks.
The Russian cybersecurity firm got in touch with Adobe as soon as it detected the threat, and worked jointly to issue a patch that is readily available for users to download. Flash Player is being phased out precisely due to this sort of vulnerabilities that make it so prone to become an attack channel.
What is FinFisher and how does the Flash flaw work?
For starters, it should be said that the oddness of this new scheme resides in the fact that FinSpy is actually a legal software tool. It is developed by Gamma International, a British-German firm that works together with government and law enforcement agencies. The latest version of the malware is known as FinFisher.
These state bodies use FinSpy as a digital surveillance tool, and anyone in their possession could use with the same ends but different motivations. The spyware allows hackers or officials to look at call logs, messages, files, video chats, and even monitor conversations in popular platforms like Skype.
The BlackOasis group, who are reportedly the ones responsible for this recent technique, hide FinFisher within a malicious Word document that they send to targets in hopes they open it and trigger hidden commands that make it install itself in the terminal.
So basically a Middle Eastern law enforcement or intelligence agency is using Gamma International’s FinFisher commercial malware and has burned through at least 5 zero days in the past 2 and some years. That’s some budget. Also sure to piss off Gamma & other customers. https://t.co/rtdW1RsWUc
— Artturi Lehtiö (@lehtior2) October 16, 2017
Just who are the BlackOasis group?
Kaspersky has been able to link the BlackOasis group to other zero-day exploit attacks it has detected in the past: two this year, one in 2016, and two others in 2015. Their motivations remain unclear, but they seem interested in the Middle East and business conducted there.
Researchers at the security firm were also capable of pinpointing the command and control centers for this last FinFisher wave to the Netherlands, Bulgaria, and Switzerland. Without any intentions to jump to conclusions, some suggest the hackers might be linked to Eastern European cells of larger Russian groups.
BlackOasis victims have been identified in Iraq, Afghanistan, Libya, Jordan, Iran, Saudi Arabia, Bahrain, and Tunisia. Nigeria and Angola, in particular, were of interest to the group in 2016, according to Kaspersky, while other countries with targeted victims include Russia, the Netherlands, and the United Kingdom.
Adobe has already rolled out an update that should be available to you on your browser if you check for updates. If you haven’t in a while, then it might even have installed automatically, in which case you should check directly on the website to see if you are up to date.
Source: Kaspersky Lab
