Crims bait phishing hooks with Flash, cast at US Gov agencies

Hackers are attempting to break into US Government agencies using a recently patched Adobe Flash vulnerability, the FBI is warning.

The attacks target flaw CVE-2015-5119 revealed and patched earlier this month that can if exploited allow attackers to run malware on victim machines.

The agency warned of the attacks which began 8 July in a memo (alert A-000062-PH) CSO reported.

"The FBI has received information regarding a likely ongoing phishing campaign that started 08 July 2015 and was observed targeting US Government agencies," the memo reads, adding that "... the e-mails contain a link that exploits Adobe Flash vulnerability CVE-2015-5119."

Attackers launched a similar phishing campaign in June that targeted government agencies along with private sector companies in sectors including IT, aerospace, construction, and transport.

Phishing email subject lines include "AEP Energy Program Update: 2015 Program Year Kick Off" and "Review Link".

The Flash vulnerability was one of three revealed in the 400Gb Hacking Team data cache that was disclosed after the Italian surveillance firm was digitally eviscerated by unknown attackers.

It was patched in a rush fix in which Google assisted Adobe to implement hardening features that would make exploiting the platform more difficult.

Those hardening features include:

• Those Vector. buffer heap partitioning: Arrays are separated from other heap objects, so attempts to overflow a buffer and alter a nearby vector's length is much more difficult – their addresses are now too far apart. Going the distance will trigger a page fault or blow away too much of the environment to continue running without crashing. And a crash is better than exploitation.
• Stronger randomisation for the Flash heap: Attackers need to know the memory layout of Flash at the moment of exploitation. It's like building one of those marble run machines where everything has to be placed more or less precisely for the right values to slot into position. Randomizing heap allocations wrecks the chances of reliable exploitation.
• Vector.<*> length validation: Adobe has added an extra value to an array's metadata called a secret, which is calculated using the length. If an attacker changes an array's length, the array's secret must be recalculated, but if the attacker cannot generate the correct secret for the desired length, Flash will detect this and bail out before a vulnerability is exploited. So this helps stop miscreants overwriting a vector's length, which may kill most attacks dead.

The wash-up from the Hacking Team hack has now seen Milan police reportedly turning their crosshairs on former Hacking Team staff in an investigation that is probing the possibility that the breach was an inside leak.

So far police have questioned six former staff already suspected of stealing company secrets. ®