Adobe Flash zero-day actively exploited in targeted attacks

A zero-day vulnerability affecting the latest version of Adobe Flash Player and all previous ones is being actively exploited in limited, targeted attacks, the company has announced on Tuesday.


The flaw (CVE-2016-4171) exists in Adobe Flash Player and and earlier versions for Windows, Macintosh, Linux, and Chrome OS, and can be exploited to cause a crash and potentially allow an attacker to take control of the affected system.

Kaspersky Lab’s Costin Raiu offered some more details about the attacks, but not about the zero-day itself as the patch is going to be released on Thursday (June 16) at the earliest.

In short, the flaw is being leveraged by an APT group they dubbed ScarCruft, a cyber espionage group that has been targeting organizations in Russia, Nepal, South Korea, China, India, Kuwait and Romania.

“Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus,” says Raiu.

“The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, Operation Erebus employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.”

The good news is that Microsoft’s EMET tool blocks the exploit, so users who deployed it are safe.

Home users are unlikely to have been targeted in these attacks, but now that the existence of the zero-day is known and the patch is set to be released quickly, other knowledgeable criminals will soon be able to come up with the exploit and it will likely be added to popular exploit kits.

Users are advised to update Adobe Flash Player as soon as the patch is pushed out, or to forgo the buggy app altogether, if possible. For Windows users, deploying EMET is generally also a good idea.