Hackers exploit new zero-day in fully patched Adobe Flash

If you haven’t kicked Adobe Flash to the curb, and you should, then don’t feel secure even if you are running a fully patched version of Flash Player.

Although Adobe released a mega–sized patch yesterday, including security fixes for 69 critical vulnerabilities in Flash, Reader and Acrobat, attackers are armed with a zero-day exploit that leaves fully patched versions of Flash Player vulnerable.

Trend Micro researchers announced that attackers behind the Pawn Storm cyber-espionage campaign are using spear phishing e-mails that contain links leading to the Flash exploit. “Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207.”

Wait, what? Didn’t Adobe just patch that? Why yes it did, so you’ve got to ask yourself why are you still using Flash…because something you love won’t run without it? Maybe it’s time to call the companies behind those products to task? Adobe claims Flash Player is on 99% of PCs and over 65% of smartphones, yet Flash is reportedly only “used by 9.9% of all websites.”

Trend Micro reported:

In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

The Pawn Storm group has been running an espionage campaign for a long time. Some experts believe the espionage is linked to the Russian government. The group is believed to have been behind a Java zero-day used earlier this year. The cyber-espionage campaign has targeted the White House, members of NATO, the German parliament, as well as “domestic spying in Russia” on media, diplomats, peace activists, artists and software developers to name but a few.

Ukraine, United States and United Kingdom are the top three countries targeted by Pawn Storm. While defense companies and the military are primary targets in the U.S., Pawn Storm has also gone after government, academia, media, diplomats, researchers in oil and nuclear energy sectors, civil aviation, NGOs, real estate and more.

Trend Micro notified Adobe about the latest zero-day in Flash. In other words, don’t ignore it if Adobe pushes out a new emergency patch. But there is a way to protect yourself now from the Flash zero-day.

As BloombergView put it, “If Adobe won’t retire Flash, just hit delete.”