The infamous cyber espionage group known as APT28 or Fancy Bear is aggressively using a recently patched Adobe Flash Player vulnerability in targeted attacks against government departments and aerospace companies. Security researchers have revealed that the group has distributed multiple malware campaigns trying to leverage the zero day security flaw that was patched in Flash Player earlier this week and was reported to have been used to deliver spyware developed by a UK firm.
Proofpoint, a cybersecurity firm, has spotted multiple attacks attacking targets across the United States and Europe. Looking at the sloppy design and reuse of its past code, evidence suggests that the group has rushed to deliver the recent campaigns exploiting this Flash Player flaw before its patch is widely deployed.
Unclear if APT28 purchased this exploit, discovered on its own, or reverse engineered from the BlackOasis attack
Security experts always advise consumers and businesses to deploy patches as soon as they are released since once the companies release patches to security flaws, it enables more criminals to exploit them. Proofpoint is saying that APT28 started the recent campaign on October 18, just two days after this exploit was fixed by Adobe, trusting that it can successfully attack some targets until the patch for this newly documented vulnerability is widely deployed.
Tracked as CVE-2017-11292, the zero day security flaw was patched by Adobe on October 16. At the time, researchers had only seen one threat actor - BlackOasis - exploiting this vulnerability to deliver Gamma International's FinFisher spyware. APT28 is believed to be a Russian state sponsored group that is widely known as Fancy Bear, Sofacy and Strontium. The group has previously used the same strategy to aggressively exploit a patched vulnerability in a similar way earlier this year when Microsoft fixed three zero day flaws.
Proofpoint has warned that APT28 isn't likely to be the only threat actor exploiting this flaw since Adobe Flash Player is "still present on a high percentage of systems and this vulnerability affects all major operating systems". The flaw doesn't affect those on the latest Windows 10 Fall Creators Update and 64-bit versions of Microsoft Office 2016.
"APT28 is a sophisticated state-sponsored group that is using the vulnerability to attack potentially high-value targets," Proofpoint wrote. "But it is likely that other threat actors will follow suit and attempt to exploit this vulnerability more widely, whether in exploit kits or via other attack vectors."
