{"uuid": "f21c51a2-ddc3-4a1f-9888-4dd9cc08c386", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-4878", "type": "exploited", "source": "https://t.me/information_security_channel/15213", "content": "Watering Hole Attack Exploits North Korea's Flash Flaw\nhttp://feedproxy.google.com/~r/Securityweek/~3/7f4KoeGOFVM/watering-hole-attack-exploits-north-koreas-flash-flaw\n\nAn attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns.\nThe targeted vulnerability, CVE-2018-4878, first became public in early February, after South Korea\u2019s Internet & Security Agency (KISA) issued an alert on it being abused by a North Korean hacker group. Adobe patched the flaw within a week. \nBy the end of February, cybercriminals were already abusing the vulnerability. The newly observed incident, Morphisec notes, is a textbook case of a watering hole assault. As part of such attacks, which are mainly focused on cyber-espionage, actors plant malware on websites their victims are likely to visit. \nThe newly observed incident revealed advanced evasive characteristics, as it was purely fileless, without persistence or any trace on the disk. Furthermore, it used a custom protocol on a non-filtered port.\n\u201cGenerally, this advanced type of watering hole attack is highly targeted in nature and suggests that a very advanced group is behind it,\u201d the security researchers note. \nThe Flash exploit used in this assault was highly similar to the one detailed in the previous analysis of the CVE-2018-4878 vulnerability, albeit it employs a different shellcode executed post exploitation. \nThe shellcode executes rundll32.exe and overwrites its memory with malicious code. This malicious code was designed to download additional code directly into the memory of the rundll32 process.\nThe security researchers also discovered that the command and control (C&C) server uses a custom protocol over the 443 port to communicate with the victim. \u00a0\nThe additional code downloaded into the memory of rundll32 includes Metasploit Meterpreter and Mimikatz modules. Most of the modules were compiled on February 15, less than a week before the attack.\n\u201cAs our analysis shows, this watering hole attack is of advanced evasive nature. Being purely fileless, without persistence or any trace on the disk, and the use of custom protocol on a non-filtered port, makes it a perfect stepping stone for a highly targeted attack chain. This clearly suggests that very advanced threat actors are responsible for it,\u201d Morphisec says. \nDespite these advanced evasive features, the attack used basic Metasploit framework components that were compiled just before the attack and lacked any sophistication, obfuscation or evasion, which creates confusion and makes it difficult to pinpoint the attack to an actor. \nAccording to Morphisec, this attack, the exploit kits that were updated to target CVE-2018-4878, the campaign observed a few weeks ago, the vulnerability\u2019s abuse by nation-based groups, all creates a certain sense of d\u00e9j\u00e0 vu. \n\u201cIt is like the anarchy of 2-3 years ago when we had new exploits targeting a particular vulnerability discovered every week. Each one different enough to evade detection for those crucial first moments and security solutions always racing to catch up,\u201d the security firm concludes. \nRelated: North Korea's Flash Player Flaw Now Exploited by Cybercriminals\nRelated: Adobe Patches Flash Zero-Day Exploited by North Korean Hackers", "creation_timestamp": "2018-03-26T19:10:50.000000Z"}