The Adobe Flash Player has a serious bug that North Korean hackers may have been exploiting to steal files from computers.
The previously unknown flaw can let an attacker trigger remote code execution over a PC. It affects both the current version of the Adobe Flash Player (220.127.116.11), along with earlier versions.
On Thursday, Adobe Systems issued a security advisory warning that bad actors were exploiting the bug “in limited, targeted attacks against Windows users.”
One security researcher has claimed that North Korea hackers were behind the attacks. Simon Choi, a director at the security firm Hauri, tweeted that the assaults occurred in mid-November, and were targeting South Koreans who were conducting research on North Korea.
Flash 0day vulnerability that made by North Korea used from mid-November 2017. They attacked South Koreans who mainly do research on North Korea. (no patch yet) pic.twitter.com/bbjg1CKmHh
— Simon Choi (@issuemakerslab) February 1, 2018
On Friday, Cisco’s Talos security group corroborated some of those findings. To deliver the attacks, the hackers have been using Microsoft Excel documents, which have been rigged to exploit the vulnerability. Once the document is opened, a Flash file embedded inside will exploit the vulnerability to download a malicious remote administration tool from a website under the hackers’ control.
The remote administration tool itself has been sourced to a hacking group Talos calls “Group 123,” which has been harassing South Korean targets with phishing emails. In the past, the hackers have used the remote administration tool to lift documents from infected computers, take screenshots and steal passwords from browsers.
Cisco Talos stopped short of specifically linking Group 123 to North Korea, but it said the attackers were probably after a “high value target.”
“Utilizing a brand new exploit, previously not seen in the wild, displays they were very determined to ensure their attack worked,” Cisco Talos said.
South Korea’s computer emergency response team KrCERT/CC initially reported the flaw to Adobe, which plans on patching the vulnerability next week. In the meantime, you can choose to disable the Flash Player, which can be done by changing the settings of your internet browser.