The Russia-linked cyber espionage group known as APT28 has been using a recently patched Adobe Flash Player vulnerability in attacks aimed at government organizations and aerospace companies, security firm Proofpoint reported on Thursday.
The Flash Player flaw in question, CVE-2017-11292, was patched by Adobe on October 16. At the time when the patch was released, the vulnerability had a zero-day status, as it had been exploited in targeted attacks by a Middle Eastern threat actor named BlackOasis to deliver FinFisher spyware.
APT28, which is also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team, started launching attacks using CVE-2017-11292 on October 18, Proofpoint said. It’s unclear if APT28 discovered the exploit on its own, purchased it, or reverse engineered the one used in the BlackOasis attack.
Nevertheless, Proofpoint pointed out that the cyberspies are likely trying to take advantage of the recently fixed vulnerability before Adobe’s patch is widely deployed by users.
The attacks observed by the security firm were aimed at organizations in the United States, Europe and other countries. The targets included foreign government organizations with responsibilities similar to the U.S. State Department, and private-sector aerospace companies.
The messages delivering the exploits were highly targeted and they were sent out using free email services, Proofpoint said. The attackers leveraged malicious documents and their previously known Flash Player exploit platform named DealersChoice to deliver the first-stage implant, specifically a reconnaissance tool.
While CVE-2017-11292 affects Windows, Mac and Linux systems, APT28 apparently only launched attacks against Windows users. Tests conducted by researchers showed that the exploit works on systems with Windows 7 or Windows 10 with Microsoft Office 2013. The exploit, however, fails to execute on 64-bit systems running Windows 10 Fall Creators Update (RS3) and Office 2016.
“APT28 is a sophisticated state-sponsored group that is using the vulnerability to attack potentially high-value targets but it is likely that other threat actors will follow suit and attempt to exploit this vulnerability more widely, whether in exploit kits or via other attack vectors,” Proofpoint researchers explained.
The security firm has been working on taking down the command and control (C&C) domains used in these attacks.