Kaspersky: We know the hackers behind latest Flash 0-day

Adobe on Tuesday reported a previously undisclosed flaw in Flash Player is under attack. Russian security firm, Kaspersky, says it knows the group behind the attacks and advises to use Microsoft’s security tool EMET.

Adobe said the Flash Player flaw CVE-2016-4171 had been used in “limited, targeted attacks”, implying a possibly state-backed cyber-espionage group was using the flaw to infect machines with malware. Adobe intends to release a patch as early as Thursday, it said on Tuesday.

Kaspersky Lab has now shed some light on the hacking crew behind the latest attacks on Flash Player, whom the Russian company’s researchers call “StarCruft”, which hit its radar in March.

“The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer,” the firm said.

Kaspersky hasn’t provided technical details about the exploit, but noted the attackers have targeted victims in Russia, Nepal, South Korea, China, India, Kuwait, and Romania.

One the campaigns focusses on “high profile” targets, while the other selects a website to compromise based on the profile of the visitor, known as a ‘watering hole’ attack.

Kaspersky dubbed the operations as “Daybreak” and “Erebus”.

“The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims,” the firm reported.

“The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.”

Kaspersky noted that Microsoft’s Enhanced Mitigation Experience Toolkit “is effective at mitigating the attacks”.

The other option for consumers until Adobe releases a patch is to disable Flash Player in Internet Explorer, Firefox, or Chrome. For recent zero-day flaws affecting Flash Player, Apple has disabled Flash Player until Adobe has released a patch.