Researchers at Trend Micro discovered a new Adobe Flash Zero-Day used in Pawn Storm Campaign Targeting Foreign Affairs Ministries across the world.

Once again Flash in the headlines, beware next emergency Flash Player update is critical for everybody as explained by the experts at Trend Micro.

The researchers at the security firm explained that the update will fix a vulnerability that has been exploited in the wild by the notorious Pawn Storm APT in targeted phishing attacks against government entities, in particular several foreign affairs ministries across the world. In October 2014, the experts at Trend Micro discovered a cyber espionage operation targeting military, government and media agencies on a global scale. The researchers collected evidence that the threat actors behind the operation, dubbed Operation Pawn Storm, have been active since at least 2007 and are still running several attacks worldwide.

“Trend Micro researchers have discovered that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign.” states the post published by the security firm.

The researchers explained that the zero-day exploited by the Pawn Storm works with Adobe Flash Player versions 19.0.0.185 and 19.0.0.207, this means that the flaw affects most current versions of the software. Other versions not listed could be vulnerable, as remarked by Trend Micro.

The Phishing email sent by the threat actors to “several ministries of foreign affairs” include links to websites hosting the exploit. The researchers at Trend Micro have discovered that most of the emails have the following subjects:

  • Suicide car bomb targets NATO troop convoy Kabul
  • Syrian troops make gains as Putin defends air strikes
  • Israel launches airstrikes on targets in Gaza
  • Russia warns of response to reported US nuke buildup in Turkey, Europe
  • US military reports 75 US-trained rebels return Syria

p1

The experts noticed that the URLs hosting the new Flash zero-day exploit are similar to the URLs that were used in the attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April 2015.

“Foreign affairs ministries have become a particular focus of interest for Pawn Storm recently. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015.” concludes the report.

Trend Micro notified Adobe about the zero-day and is currently working with them to fix the security issue.

Pierluigi Paganini