Securelist just released a new cyberespionage campaign alert, code-named \u201cOperation Daybreak.\u201d We believe the campaign, which employs a previously unknown Adobe Flash Player exploit, was launched by an attack group code-named ScarCruft.<\/p>\n
Operation Daybreak: A brand-new zero-day #exploit in #Flash<\/p>Tweet<\/a><\/blockquote>\n
Operation Daybreak targets a number of very diverse entities ranging from government organizations to large enterprises. Among them are: one of the largest trading companies in Asia, a mobile advertising and app monetization company from the United States, and a restaurant located in one of the top malls in Dubai. Some of them were compromised over the last few days. This indicates the attackers are still active and the operation will continue for at least some time.<\/p>\n
The targets appear to receive a malicious link (via spear-phishing e-mails) that points to a hacked website that hosts the exploit kit. The exact attack vector remains unknown, however.<\/p>\n
Costin Raiu, from Kaspersky Lab\u2019s Global Research and Analysis Team (GReAT), and Anton Ivanov, our senior malware analyst, say that ScarCruft\u2019s activities stand out in certain ways. For example, the exploit for CVE-2016-0147 uses \u201ca few very interesting evasion methods.\u201d The Daybreak attacks also cleverly use a bug in the Windows DDE component to bypass security solutions, a method unseen before now. The flaw has been reported to Microsoft\u2019s security team.<\/p>\n
Detection and mitigation<\/strong><\/p>\n
Kaspersky Lab\u2019s products detect this Flash exploit as HEUR:Exploit.SWF.Agent.gen. Our AEP (Automatic Exploit Prevention) component can successfully detect this attack as well. Payloads are detected as HEUR:Trojan.Win32.ScarCruft.gen.<\/p>\n
Securelist says that in-the-wild Flash Player exploits are becoming rare because in most cases they need to be coupled with a sandbox-bypass exploit, which makes them rather tricky. Further, Adobe, along with its plans to drop Flash support soon, is still implementing new mitigations to make exploitation of Flash Player more and more difficult.<\/p>\n
Multilayered #security makes attacks too expensive for criminals.<\/p>Tweet<\/a><\/blockquote>\n
In the meantime, resourceful threat actors such as ScarCruft are deploying zero-day exploits against their high-profile targets, and will continue to do so in the future.<\/p>\n
The best option for businesses to avoid becoming victims is to employ a multilayered approach. A combination of traditional antimalware technologies with patch management, host intrusion detection, and, ideally, allowlists and default-deny strategies, is the optimal course of action here.<\/p>\n
\u201cWhile it\u2019s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker \u2014 who will just give up and move on to other targets,\u201d Costin Raiu and Anton Ivanov wrote.<\/p>\n
For full technical details and indicators of compromise, please refer to Securelist<\/a>.<\/p>\n