Network security specialist FireEye has discovered a zero-day exploit in the latest version of Adobe Flash that has been used by an unidentified party to target non-profit organisations.
As part of the campaign it dubbed ‘Operation Greedy Wonk’, visitors to the websites of the American Research Centre in Egypt, Peterson Institute for International Economics and Smith Richardson Foundation were redirected to a website which took advantage of the previously unknown remote code injection vulnerability.
FireEye suggests that the group responsible for these attacks is well-funded, and has a particular interest in the US organisations dealing with foreign policy, defence and socio-cultural issues. It estimates that the exploit helped infect hundreds, possibly even thousands of Internet users.
In order to work, the exploit requires its victims to run Windows XP or Windows 7. According to FireEye, the website that the visitors were redirected to hosted a hidden iframe, which overwrote the vftable pointer of a Flash object. Once the exploit succeeded, it installed a version of PlugX Remote Access Tool (RAT) on the compromised system.
FireEye has linked these attacks to a May 2012 campaign against human rights organisations, first described by ShadowServer. The company thinks they were perpetrated by the same malicious actor, who communicates in Chinese and uses similar attack infrastructure and malware configuration properties.
FireEye has notified the target organisations and Adobe, which has designated the vulnerability as CVE-2014-0502, and issued a relevant security bulletin. While Adobe is patching up Flash, the security company advises users to update Java and Office to help mitigate the threat.
“This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues,” explained a statement on the FireEye blog. “The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.
“This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.”
How well do you know network security? Try our quiz and find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…