Blog
Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.
Table Of Contents
On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.
At least one South Korean security researcher has stated that they observed actors using an operational exploit for this vulnerability in the wild in South Korea. The researcher shared an image of a Microsoft Excel file with a list of various Korean cosmetic products and their prices that purportedly contains the vulnerability. The researcher also claimed that North Korean threat actors are using this exploit to target South Korean entities, but the researcher did not supply any details that could be used to independently corroborate this claim. Additionally, the researcher omitted details regarding how the vulnerability could be exploited.
Based on the debug information, it appears that threat actors have exploited this vulnerability in the wild since as early as November 14, 2017. Security company ESTSecurity published initial analysis related to some of the indicators of compromise (IOCs) related to the exploit.
The exploit contains the following builder path:
F:\work\flash\obfuscation\loadswf\src
According to Adobe, a patch for this vulnerability will be available on February 5, 2018. This is a remote code execution vulnerability with a use-after-free impact. The vulnerability affects Adobe Flash 28.0.0.137 and earlier versions.
Flashpoint assesses with moderate confidence that threat actors may continue to successfully exploit this vulnerability in the wild until the official patch is released. Flashpoint also assesses with moderate confidence that implementing protected view for Office documents and disabling Adobe Flash execution may assist with mitigating exposure to this vulnerability.
Appendix: Detection
rule crime_ole_loadswf_cve_2018_4878
{
meta:
// DESCRIPTION
description = “Detects CVE-2018-4878”
vuln_type = “Remote Code Execution”
vuln_impact = “Use-after-free”
affected_versions = “Adobe Flash 28.0.0.137 and earlier versions”
mitigation0 = “Implement Protected View for Office documents”
mitigation1 = “Disable Adobe Flash”
weaponization = “Embedded in Microsoft Office first payloads”
actor = “Purported North Korean actors”
reference = “hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998”
author = “Vitali Kremez, Flashpoint”
version = “1.1″
strings:
// EMBEDDED FLASH OBJECT BIN HEADER
$header = “rdf:RDF” wide ascii
// OBJECT APPLICATION TYPE TITLE
$title = “Adobe Flex” wide ascii
// PDB PATH
$pdb = “F:\work\flash\obfuscation\loadswf\src” wide ascii
// LOADER STRINGS
$s0 = “URLRequest” wide ascii
$s1 = “URLLoader” wide ascii
$s2 = “loadswf” wide ascii
$s3 = “myUrlReqest” wide ascii
condition:
all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
}
IV. Mitigation
A. Implement Protected View for Office documents
B. Disable Adobe Flash execution
Notably, there is no patch for this vulnerability until February 5, 2018 according to Adobe. [3]
V. Indicators of Compromise (MD5):
9593d277b42947ef28217325bcc1fe50
5f97c5ea28c0401abc093069a50aa1f8
1F93C09EED6BB17EC46E63F00BD40EBB
4C1533CBFB693DA14E54E5A92CE6FABA
VI. Command and Control (C2) servers:
hxxp://www[.]dylboiler[.]co[.]kr/admincenter/files/boad/4/manager[.]php
hxxp://www[.]1588-2040[.]co[.]kr/design/m/images/image/image[.]php
VII. PDB path:
F:\work\flash\obfuscation\loadswf\src
SNORT Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Possible CVE-2018-4878 check-in alert”; flow:established,to_server; http_uri; content:”?id=”; http_uri; content:”&fp_vs=”; http_uri; content:”&os_vs=”; http_uri; reference: source, Vitali Kremez-Flashpoint; classtype:Trojan-activity; rev:1;)