Even if you just patched Adobe Flash, attackers from the Pawn Storm cyber-espionage campaign are exploiting yet another new zero-day in Flash. Credit: Thinkstock If you haven’t kicked Adobe Flash to the curb, and you should, then don’t feel secure even if you are running a fully patched version of Flash Player.Although Adobe released a mega–sized patch yesterday, including security fixes for 69 critical vulnerabilities in Flash, Reader and Acrobat, attackers are armed with a zero-day exploit that leaves fully patched versions of Flash Player vulnerable.Trend Micro researchers announced that attackers behind the Pawn Storm cyber-espionage campaign are using spear phishing e-mails that contain links leading to the Flash exploit. “Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207.”Wait, what? Didn’t Adobe just patch that? Why yes it did, so you’ve got to ask yourself why are you still using Flash…because something you love won’t run without it? Maybe it’s time to call the companies behind those products to task? Adobe claims Flash Player is on 99% of PCs and over 65% of smartphones, yet Flash is reportedly only “used by 9.9% of all websites.” Trend Micro reported:In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:“Suicide car bomb targets NATO troop convoy Kabul”“Syrian troops make gains as Putin defends air strikes”“Israel launches airstrikes on targets in Gaza”“Russia warns of response to reported US nuke buildup in Turkey, Europe”“US military reports 75 US-trained rebels return Syria”It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.The Pawn Storm group has been running an espionage campaign for a long time. Some experts believe the espionage is linked to the Russian government. The group is believed to have been behind a Java zero-day used earlier this year. The cyber-espionage campaign has targeted the White House, members of NATO, the German parliament, as well as “domestic spying in Russia” on media, diplomats, peace activists, artists and software developers to name but a few. Ukraine, United States and United Kingdom are the top three countries targeted by Pawn Storm. While defense companies and the military are primary targets in the U.S., Pawn Storm has also gone after government, academia, media, diplomats, researchers in oil and nuclear energy sectors, civil aviation, NGOs, real estate and more.Trend Micro notified Adobe about the latest zero-day in Flash. In other words, don’t ignore it if Adobe pushes out a new emergency patch. But there is a way to protect yourself now from the Flash zero-day.As BloombergView put it, “If Adobe won’t retire Flash, just hit delete.” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe