North Korea again in the gun, the recent Adobe Flash 0-Day attack behind the black hand is it?

According to security researchers at CISCO and FireEye, the Korean hacker organization is behind the recent discovery of a Adobe Flash 0day vulnerability.

Since the release, there have been more than 1000 Adobe Flash vulnerabilities. It is aimed at simplifying web site development and providing other functions that standard Web browsers do not support, which also improves complexity and broader attacks. Web browsers don't support Flash by default, but users usually re - enable it for convenience. Just install it on your system to make this latest 0day vulnerability.

KISA released a safety notice in January 31, 2018, warning that the free use vulnerability of Adobe Flash Player is widely used. On the second day, Adobe released security consulting APSA18-01, confirmed that CVE-2018-4878 is a potential remote code vulnerability, and announced that it plans to release security patches in February 5, 2018. The attack is on malicious SWF files, Microsoft Office or Hancom Hangul documents or spreadsheets. Once opened, the victim's computer will execute malicious SWF through Adobe Flash (if installed).

"After open and successful use, the decryption key to encrypt the embedded payload will be downloaded from the damaged third party web site," FireEye said.

Embedded loads are likely to be DOGCALL malware, which helps install ROKRAT commands and control Trojan horses, and remote attackers can access the victim's system.

Experts warn that before the Adobe patch comes, users should be very careful to open the unknown spreadsheet and document files. In fact, for any unexpected or suspicious files, especially those that support embedded files, we should always be vigilant because we can hide all kinds of malware. You should also think strongly about uninstalling Adobe Flash. Even if you disable it in your browser, just install it on your system to allow the latest vulnerabilities to be executed successfully. It's possible that you don't need Adobe Flash. As Sophos explains, "the most common demand we hear is watching network videos, but if you don't have Flash, almost all websites will use HTML5 as video. If you uninstall it, your browser will use its built-in video player, so you probably don't need Flash at all. "

Both CISCO and FireEye are investigating and warns that the Korean hacker group they have been tracking may be the backstage manipulator of the attack. FireEye calls it TEMP.Reaper, and CISCO is called Group 123, and the hacker group, which has a relationship with North Korea, is very active in 2017.

According to FireEye, "historically, most of their goals were focused on the Korean government, the foundation of the military and defense industry. However, they expanded to other international goals last year. "

In addition to expanding attack targets, hacker organizations seem to also enhance their skills, and deploy various technologies to deploy destructive malware and command and control Trojan horses.

In the past few years, North Korea has had a lot of accusations of hacker attacks. With the tension in 2017 and the upcoming South Korean Olympic Games this month, there are many opportunities and potential momentum. The latest attack shows that the hacker is ready to take advantage of these opportunities.

As the CISCO Talos security team describes, "the 123 organizations have now joined some of the criminal elites of the ROKRAT's latest payload. They have used the functions other than Adobe Flash 0day. This change represents a significant transformation of the 123 organization maturity level. We can now evaluate the 123 organization from a confidential perspective, with a highly skilled, highly active and highly developed team.