A cyber-espionage group identified in the cyber-security industry as APT28 and believed to be operating under the supervision of the Russian state has recently dispatched several malware distribution campaigns that try to take advantage of a Flash zero-day vulnerability that Adobe patched earlier this week.
It is clear that APT28 is trying to exploit the CVE-2017-11292 zero-day before the vast majority of users receive patches or update their systems.
According to US cyber-security firm Proofpoint, the one which first spotted these attacks, APT28 targeted a broad set of targets across Europe and in the US.
Current data on the email spear-phishing campaign suggests the group targeted state departments and private-sector businesses in the aerospace industry.
Evidence also suggests the group rushed to assemble an exploit and the distribution campaign, reusing code from past attacks, and leaving experts with an impression of a sloppy operation.
This is not specific to APT28, a group that's been quite apt at its job, albeit not perfect. The group is known under other nicknames such as Fancy Bear, Sofacy, Sednit, Tsar Team, Pawn Storm, or Strontium, and has orchestrated attacks against the DNC, the German Parliament, NATO, the Pentagon, the White House, and many more.
This is also not the first time the group races to exploit a zero-day before most of its targets patch their systems. The group did the same in May this year after Microsoft patched three zero-days — CVE-2017-0261 (Office EPS feature), CVE-2017-0262 (Microsoft Word), and CVE-2017-0263 (Windows).
APT28 discovered and exploited those zero-days. This time around, the Flash zero-day patched this week was not their own. Nonetheless, APT28 found a way to deduce its exploitation chain and use it in attacks before it went completely cold and lost its efficiency.
Kaspersky researchers discovered the CVE-2017-11292 Flash zero-day in attacks carried out by a Middle Eastern cyber-espionage group known as BlackOasis. The group is known for employing a spying ("lawful surveillance") toolkit named FinSpy, sold by UK firm Gamma Group International.
It is unclear if APT28 purchased the zero-day as well, discovered it on their own, or reverse engineered it from the BlackOasis attack.
APT28's CVE-2017-11292 attacks were easy to spot because they employed the same old DealersChoice malware.
DealersChoice is an exploitation framework embedded in Office files sent via spear-phishing email. When the user opens these booby-trapped files, DealersChoice calls to a remote server, downloads the CVE-2017-11292 exploit code, and tries to run it on the victim's side.
Proofpoint said it's currently trying to take down C&C servers associated with the DealersChoice attack framework used in this recent campaign. A technical breakdown of the recent attacks, along with IOCs, are available in Proofpoint's report here.