Experts van Kaspersky Lab hebben onlangs een belangrijk zero-day beveiligingslek ontdekt in Adobe Flash Player (CVE-2013-0633) dat actief werd gebruikt in gerichte aanvallen. Kaspersky Lab heeft het beveiligingslek gerapporteerd aan Adobe, die op 7 februari een beveiligingsupdate heeft uitgebracht.
Het beveiligingslek werd als eerste ontdekt door Sergey Golovanov en Alexander Polyakov van Kaspersky Lab. Het lek heeft gevolgen voor Windows, Max OS X, Linux en een aantal oudere versies van Android.
blog van Kaspersky: Adobe Flash Player 0-day and HackingTeam's Remote Control System
Last week, Adobe released a patch for a vulnerability in Flash Player that was being exploited in targeted attacks.
Before reading any further, we recommend you to take a moment make sure you apply this patch. Adobe offers this nifty tool to check that you have the latest version of Flash Player.
If you are running Google Chrome, make sure you have version ‘24.0.1312.57 m’ or later.
Now back to CVE-2013-0633, the critical vulnerability that was discovered and reported to Adobe by Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov. The exploits for CVE-2013-0633 have been observed while monitoring the so-called ‘legal’ surveillance malware created by the Italian company HackingTeam. In this blog, we will describe some of the attacks and the usage of this 0-day to deploy malware from ‘HackingTeam’ marketed as Remote Control System.
HackingTeam and RCS
We previously wrote about RCS (Remote Control System) and HackingTeam and over the past few months, we’ve closely monitored the usage of the RCS (aka as ‘DaVinci’) against human rights activists and political dissidents from Africa, South America and the Middle East.
We also presented the findings of this investigation last week at Kaspersky Lab’s SAS 2013 in a presentation named “Cyber Cosa Nostra”, which details the connections between HackingTeam with the shady organization known as ‘OPM’. An article documenting the findings will be published later this month on Securelist.
During our investigation, we discovered several ways through which the RCS malware was installed onto the victims’ computers:
1. Self-signed JAR
2. CVE-2012-4167: (0-day from ‘Vupen’, see http://www.dhses.ny.gov/ocs/advisories/2012/2012-073.cfm. ~3 months ITW before publishing ). Used with C2: hxxps://www.maile-s.com/yarab/stagedocJord
3. CVE-2010-3333: C2 at hxxps://ar-24.com/0000000031/veryimportant.doc2 + hxxp://rcs-demo.hackingteam.it/0000000001/exploit.doc2
4. CVE-2012-5054: (0-day Vupen, see http://packetstormsecurity.com/files/116435/Adobe-Flash-Player-Matrix3D-Integer-Overflow-Code-Execution.html. ItW for ~3 months before patching) - used with C2 at: hxxp://188.8.131.52/0000040037/scandale.doc
5. CVE-2012-1682: (0-day. Security Explorations ~2 months ITW before publishing )- hxxp://ar-66.com/installer.jar
6. CVE-2013-0633: 0-day, previously unknown
Some of these infection vectors were previously described in great detail by Citizen Lab Security Researcher Morgan Marquis-Boire, in relation to RCS and also another malware known as 'SPY_NET'.
Interestingly, from the list above, two of the 0-days appear to have been created by the French offensive security company Vupen. The link was also previously pointed out by Citizen Lab’s report, which says it’s unclear if the exploits used with HacktingTeam’s malware have been purchased from Vupen, or just engineered in parallel.
Meer op: Securelist.com