Adobe has issued a patch for a zero day security vulnerability used by a notorious hacking group to plant surveillance software developed for use by governments.
The patch came shortly after the significant vulnerability was first disclosed by Kaspersky Lab. A Middle East-based advanced persistent threat group known as BlackOasis had reportedly been caught using the exploit in the wild to distribute FinSpy malware created by Gamma International.
Individuals and organizations using Adobe Flash—especially those operating in business and government environments—are advised to download the security patch immediately in order to protect against the potential exploit.
The security flaw, which was originally identified by Kaspersky Lab security researcher Anton Ivanov, is considered a critical confusion vulnerability that could allow an attacker to remotely execute malicious code on just about every major operating system including Windows, Mac, Linux and ChromeOS.
In a security advisory published by Adobe, the company warns the vulnerability affects its Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Adobe Flash Player for Microsoft Edge and Internet Explorer 11.
The exploit is delivered to victims through a Microsoft Word document laced with a malicious installer that compromises the user’s machine and plants the FinSpy malware.
FinSpy, also known as FinFisher, is a commercial malware that has been sold to nation states and law enforcement agencies to conduct surveillance. It has generally been used in domestic settings by law enforcement agencies spying on local targets, which has included criminals, journalists and activist organizations.
The commercial spyware is capable of monitoring communications of its victims, including conversations performed on software such as Skype. It can also eavesdrop on video chats, record calls, view and copy a user’s files, and perform other surveillance tasks.
“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” Anton Ivanov said in a statement.
“Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow,” he said.
BlackOasis has used the spyware in the past on a number of targets around the world including Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, the United Kingdom and Angola.
In the recent attack that exploited the zero day vulnerability in Adobe products, the malware used by BlackOasis was the most recent version of the FinSpy software, which includes a number of anti-analysis techniques used to obscure its source. The process makes performing forensic analysis difficult.
Kaspersky Lab advised organizations to implement the killbit feature for Flash software that allows administrators to disable certain controls within the Adobe software—and avoid its use entirely when possible. The security firm also suggested using multi-layered security solutions to cover all parts of a network and end points that could be vulnerable to attack.