What is the Issue:
Adobe has recently released an emergency patch for a Flash Zero-Day vulnerability, that when exploited properly can allow an attacker to execute arbitrary code, and enable information disclosure. Most current web browsers block Adobe Flash all together, but attacker have found a way to have Microsoft Office load the embedded malicious code into Adobe Flash. The attack is sent through Microsoft Office documents (mostly commonly excel files) embedded with malicious Flash content. This malicious content will trigger your machine to download the malicious payloads from an external server (most of which are registered to Qatar).
Why is this noteworthy:
Since there is no malicious code embedded in the file, the malicious files will make it passed anti-virus without raising any flags. The transmission between the infected internal host and external server gets encrypted as part of the transmission, making forensic analysis of the incident nearly impossible to uncover.
What is the exposure or risk:
This vulnerability could be critical to a company because it allows the attacker to request any information they desire from the infected host. The connection between the internal host and external server is maintained, so the attacker can continuously query for data, monitor any changes made on the infected host, and can lead to privilege escalation for the attacker to gain access to the rest of the network.
What are the recommendations:
SKOUT recommends regularly that all hosts running Adobe Flash Version 220.127.116.11 be updated immediately to Version 18.104.22.168. We also recommend you be on the lookout for emails with unfamiliar attachments written in Arabic, and monitor internal hosts for any unauthorized Flash downloads.
If you have any questions, please contact our Security Operations Center.