Pawn Storm attack: Flash zero-day exploit hits diplomatic inboxes

Hackers behind a long-running cyber-espionage campaign have begun using a new Adobe Flash zero-day exploit in their latest campaign.

The attackers behind Pawn Storm targeted several foreign affairs ministries from around the globe using a Flash-based attack, Trend Micro reports.

The targets received spear phishing emails that contained links pointing towards sites hosting the exploit. These emails were themed so that they appeared to offer links to news analysis articles and pieces. Examples included “Syrian troops make gains as Putin defends air strikes” and “Israel launches air strikes on targets in Gaza”.

The URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted NATO members and the White House in April this year, security researchers at Trend micro note.

The Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207, based on the initial results of an ongoing analysis by security researchers from Trend Micro.

Trend Micro has notified Adobe about its discovery, with which it went public on Wednesday. In the meantime, Trend has updated its own enterprise security tools to block attacks targeting this particular software security hole.

Adobe released a scourge of vulnerability fixes for Reader and Flash on Tuesday, as part of its regular monthly patching cycle.

But these updates failed to plug the 0-day (CVE-2015-7645) abused by Pawn Storm, Adobe spokeswoman Heather Edell confirmed. Adobe expects to make a cross-platform update for this critical bug available during the week of 19 October.

More detail can be found in Adobe's holding statement. There is no workaround short of a patch so, as El Reg has repeatedly suggested, users should consider removing Flash altogether or at least enabling click-to-play in your browser so you only run Flash files you can trust.

Storm in a coffee cup

The Pawn Storm crew are innovators in the world of APT-style hacking and previously unknown software security holes. For example, the group used a Java zero-day in an earlier run of attacks.

Pawn Storm cyberspies are trying multiple strategies in their attempt to break into foreign affairs ministries. These efforts extend beyond the latest spear-phishing with Flash exploit malfeasance. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These were used for simple, but extremely effective, credential phishing attacks.

“One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised,” Trend Micro reports. “This means that Pawn Storm has been intercepting incoming email to this organisation for an extended period of time in 2015.” ®