New Adobe Flash Zero-Day Used in Pawn Storm Campaign

Analysis by Brooks Li, Feike Hacquebord, and Peter Pi

Trend Micro researchers have discovered that the attackers behind Pawn Storm, the long-running cyber-espionage campaign, are using an Adobe Flash zero-day exploit code for their attacks. The particular affected vulnerability is still unpatched, making Flash users vulnerable to attacks.

In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit. In this wave of attacks, the emails were about the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

Ministries of Foreign Affairs have become a particular focus of interest for Pawn Storm recently. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015.

Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207.

Figure 1. Affected Adobe versions

We have notified Adobe about our discovery and are working with them to address this security concern. Updates to this entry will be made once more information is available.