As expected, Adobe on Tuesday issued an emergency patch to fix a critical vulnerability in Flash Player hackers were using in attacks against Windows users.
The company said in an advisory it was aware an exploit for the vulnerability existed in the wild last week and that it would address it with a patch this week.
The vulnerability, CVE-2018-4878 - a use after free, could have led to remote code execution in version 22.214.171.124 and earlier of Flash Player. The updated version, 126.96.36.199 for Windows, macOS, and Linux, resolves the vulnerability along with a second use after free, CVE-2018-4877, discovered by a researcher with Qihoo 360 Vulcan Team.
The South Korean Computer Emergency Response Team (KR-CERT) first warned of the zero-day last week.
According to researchers with Cisco Talos, who dug into the CVE-2018-4878 on Friday, the vulnerability was being exploited by attackers by attackers with Group 123, a collective known for carrying out multiple campaigns against South Korean targets in 2017.
Last week's campaign relied on embedding a malicious SWF file in a Microsoft Excel sheet. As soon as CVE-2018-4878 is triggered, an additional payload is downloaded and shellcode is loaded in memory and executed.
According to Talos researchers Warren Mercer and Paul Rascagneres, the payload is a remote administration tool, or RAT named ROKRAT. ROKRAT, which first surfaced last year, zigs where other RATs usually zag - it uses the public APIs of Twitter, along with Mediafire and Yandex, to carry out commands and exfiltrate data. Researchers with the firm said last week the fact the group had access to - and was using - a never before seen vulnerability really ante ups its credibility.
"They did use exploits in previous campaigns but never a net new exploit as they have done now," Mercer and Rascagneres wrote, "This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group."
Cybersecurity firms usually have different nicknames for the same groups of attackers; FireEye, which also delved into the attacks on Friday, said it refers to the group as TEMP.Reaper and that it observed the group interacting with IP addresses assigned to a DPRK government network based in Pyongyang.
Before it pushed the fix Adobe was encouraging administrators to change the way Flash Player behaves, either by prompting the user before playing SWF content or implementing Protected View for Office, which would open potentially dangerous files in read-only mode.
The vulnerability is the latest - and assuredly not the last - in a long line of Flash bugs. Adobe announced last summer it plans to retire support for the cross-platform plugin in December 2020, meaning attackers have nearly another two years to poke holes in it.