East Euro crims pwning 'high profile' victims with Flash zero day

An eastern European group has for more than three months been using an unpatched Flash zero day vulnerability to target 'high profile' victims, Kaspersky Labs researcher Costin Raiu says.

The attacks are linked to a group dubbed ScarCruft which under the Operation Daybreak has used the vulnerability since March.

A patch for the flaw (CVE-2016-4171) is expected to drop by 16 June.

Raiu (@craiu) says the zero day has been restricted to valuable targets. Doing so allows criminals to maximise on the amount of time their attacks go unnoticed and unpatched.

"... Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown Adobe Flash Player exploit focusing on high profile victims," Raiu says

"ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania.

"The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Raiu says the group may have also exploited a then Flash zero day flaw (CVE-2016-0147) patched April making ScarCruft a well-resourced or talented group.

A second attack by the group dubbed Operation Erebus exploits a patched vulnerability (CVE-2016-4117) to target victims who visit particular websites. Here watering hole attacks are used to exploit unpatched victim machines through sites designed to mimic the likely web property to which a victim would normally express interest in.

Microsoft's lauded enhanced mitigation toolkit mitigates the zero day flaw and can be downloaded for Windows machines for free.

Users can also protect themselves by uninstalling Flash or using the ravaged runtime sparingly on a secondary browser.

The planned patch is part of a run of fixes under Patch Tuesday. ®