APT group exploits zero-day Flash exploits to hack enterprises

The ScarCruft group have left victims all over the world by using a previously unknown zero-day vulnerability in the Adobe Flash Player, according to Kaspersky Lab which has dubbed the attack Operation Daybreak.

Operation Daybreak was launched by ScarCruft group
Operation Daybreak was launched by ScarCruft group

A new hacking group is exploiting a zero-day flaw in Flash to launch attacks on a series of high-profile victims.

The criminal gang has been dubbed ScarCruft by Kaspersky and is a relatively new APT group. Victims have been found in Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations, using multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

According to Kaspersky, ScarCruft launched Operation Daybreak in March this year and employs a previously unknown (0-day) Adobe Flash Player exploit. The firm said it is also possible that the group deployed another zero-day exploit, CVE-2016-0147, which was patched in April.

“Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails. To date, we have observed more than two dozen victims for these attacks,” said Costin Raiu and Anton Ivanov in a blog post.

In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.

The hacking group is also behind a separate cyber-crime campaign dubbed Operation Erebus that abuses a critical vulnerability in Flash Player, patched in May, through the use of watering hole attacks.

Adobe has put out a security advisory and said it will address the new vulnerability in its monthly security bulletins.

Kaspersky said that resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.

“As usual, the best defence against targeted attacks is a multi-layered approach. Windows users should combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies,” said the firm.

Mark James, security specialist at ESET, told SCMagazineUK.com that as with a lot of threats, the end user is usually directed somewhere dubious or tricked into downloading the malicious file and then executing it.

“Protecting yourself against Flash and indeed many other exploits can be as simple as multi layering your defences, ensuring your operating system and applications are up to date and updating regularly is very important along with taking some precautions against auto running files,” he said.

Javvad Malik, security advocate at AlienVault, told SC that it's important to share the information in a timely manner to allow defences to be tuned prior to an attack.

"This is particularly important where an APT like ScarCruft is using the zero-day sparingly, against specifically selected targets. An approach that can allow it to operate for longer periods undetected,” he said.