Successful Windows exploit tied to Group 123 in North Korea

Adobe Systems has released a critical security patch for two Flash Player vulnerabilities found in the wild – one of which has been tied to an increasingly ambitious North Korean hacking group.

Both vulnerabilities (CVE-2018-4877 and CVE-208-4878) could allow for remote code execution in Adobe Flash Player 28.0.0.137 and earlier versions operating on Windows, Mac, Linux, and Chrome operating systems.

“Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin,” the software firm said.

The security update comes a week after Adobe said an exploit for CVE-2018-4878 was being used in limited, targeted hacks against Windows users.

“These attacks leverage Office documents with embedded malicious Flash content distributed via email,” the company stated. “Successful exploitation could potentially allow an attacker to take control of the affected system.”

Adobe credited KrCERT, South Korea’s internet and security agency, for reporting CVE-2018-4878. The Qihoo 360 Vulcan Team, working with Trend Micro’s Zero Day Initiative, flagged CVE-2018-4877.

Following last week’s security advisory, researchers at Talos said the payload for CVE-2018-4848 is the well-known remote access trojan named Rokrat, and that it was being exploited by Group 123 in North Korea.

“Group 123 have now joined some of the criminal elite with this latest payload of Rokrat,” said Talos’ technical leader, Warren Mercer. “They have used an Adobe Flash zero-day which was outside of their previous capabilities.

“This change represents a major shift in Group 123’s maturity level. We can now confidentially assess Group 123 as a highly skilled, highly motivated, and highly sophisticated group.”

Talos said Group 123 was responsible for six malware campaigns last year.