FireEye Discovers Flash Exploit Used To Target Non-Profits

Network security specialist FireEye has discovered a zero-day exploit in the latest version of Adobe Flash that has been used by an unidentified party to target non-profit organisations.

As part of the campaign it dubbed ‘Operation Greedy Wonk’, visitors to the websites of the American Research Centre in Egypt, Peterson Institute for International Economics and Smith Richardson Foundation were redirected to a website which took advantage of the previously unknown remote code injection vulnerability.

FireEye suggests that the group responsible for these attacks is well-funded, and has a particular interest in the US organisations dealing with foreign policy, defence and socio-cultural issues. It estimates that the exploit helped infect hundreds, possibly even thousands of Internet users.

Greedy Wonk

In order to work, the exploit requires its victims to run Windows XP or Windows 7. According to FireEye, the website that the visitors were redirected to hosted a hidden iframe, which overwrote the vftable pointer of a Flash object. Once the exploit succeeded, it installed a version of PlugX Remote Access Tool (RAT) on the compromised system.

The company suggests that the visitors were infected so the attacker could later steal their data. And since the sample of the PlugX was compiled on 12 February, FireEye presumes it was created specifically for this campaign.

FireEye has linked these attacks to a May 2012 campaign against human rights organisations, first described by ShadowServer. The company thinks they were perpetrated by the same malicious actor, who communicates in Chinese and uses similar attack infrastructure and malware configuration properties.

FireEye has notified the target organisations and Adobe, which has designated the vulnerability as CVE-2014-0502, and issued a relevant security bulletin. While Adobe is patching up Flash, the security company advises users to update Java and Office to help mitigate the threat.

“This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues,” explained a statement on the FireEye blog. “The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.

“This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.”

How well do you know network security? Try our quiz and find out!