Adobe issued an emergency zero-day patch to fix a critical Flash Player vulnerability (CVE-2015-3113), research group FireEye points out.
The notorious APT3 cyberespionage group based in China has been exploiting this vulnerability over the past few weeks to attack various organizations from the defense, aerospace, technology, construction, telecommunications, engineering and transportation industries, FireEye reveals.
The security research group details its findings in a blog post, explaining how the attackers' phishing emails contained links to compromised web servers that could serve malicious Adobe Flash Player files exploiting the CVE-2015-3113 zero-day vulnerability.
The attackers reportedly profiled potential victims using JavaScript code, and the ones who met the criteria were tricked with a generic phishing email with a spam-like text.
To better illustrate this process, FireEye gives an example of such a bait offer via email: a refurbished iMac certified by Apple, with a notable discount of up to $450, complete with a one-year extendable warranty option. When recipients clicked on the provided link, they were redirected to a server loaded with special scripts designed to check whether that computer was worth hacking.
Users with devices not worth attacking would receive benign content, but those with systems that would interest the hackers would receive malicious SWF and FLV files.
APT3 apparently uses the exploit to install a backdoor called SHOTPUT, reported as Backdoor.APT.CookieCutter, and the threat is detected as a web infection. One inside an organization's network, the attackers can then use other exploits to reach and compromise other systems as well.
In a short advisory, Adobe noted that the CVE-2015-3113 vulnerability indeed sees active exploits in the wild, but trough "limited, targeted attacks." Internet Explorer users on Windows 7 and earlier and Firefox users on Windows XP are "known tagets."
The company has released emergency security updates for its Adobe Flash Player for Windows, Macintosh, and Linux, and advises all users to update as soon as possible.
"These updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system," Adobe pointed out in its advisory.
The Flash Player plugin installed by default in Google Chrome and Internet Explorer on Windows 8.x will receive the update automatically, so users don't have to do anything. Similarly, Windows or Mac Flash Player users who have the option "allow Adobe to install updates" enabled will get this patch automatically as well. Other users should take the necessary steps to update immediately.
