Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site

Morphisec Labs said that a security researcher warned on Tuesday that hackers had launched a cyber attack on a website of a telecommunications company in Hong Kong.

This was confirmed by the survey conducted by Morphisec laboratory researchers Michael Gorelik and Assaf Kachlon. The attacker used a known Adobe Flash zero-day vulnerability (CVE-2018-4878) to add an embedded Adobe Flash file to the main page of the company’s website.

According to relevant information, the CVE-2018-4878 vulnerability was first discovered by the Korean Computer Emergency Response Team (KR-CERT), and KR-CERT said that a hacker group from North Korea has successfully applied this vulnerability to actual attacks.

Adobe then fixed the vulnerability within a week and announced in its announcement that the vulnerability affects Flash Player 28.0.0.137 and all previous versions.

Morphisec pointed out that the cyber attack against the Hong Kong Telecommunications Corporation website is a typical Watering Hole Attack incident. This is one of the commonly used hacking methods. The attacker first analyzes which site the attack target usually visits, and then invades these sites and deploys malicious software. When an attack target visits these websites, it will be redirected to a malicious website or trigger malicious software execution, causing other members of the network system to which the attack target belongs to also be infected by malicious software.

Morphisec further emphasized that the pit attack is highly targeted and highly occult. During this attack, the attacker did not produce any files, nor did it leave any traces on the local hard disk. In addition, the attacker also used a custom protocol to communicate with a command and control (C&C) server on the unfiltered port (443 port). All this shows that the attacker behind the incident should be a hacker organization with advanced technology.

The researchers explained that the exploited Flash vulnerability of the attacker in this attack is highly similar to the description in the previously published analysis report of CVE-2018-4878. The main difference lies in the shellcode executed later.

Shellcode executes a legitimate Windows process “rundll32.exe” and overwrites its memory with a piece of malicious code. The purpose of the malicious code downloads other code directly into the memory of the same rundll32 process.

Additional code downloaded to rundll32 memory includes the Metasploit Meterpreter and Mimikatz modules. Most of the modules were compiled on February 15th, which means that the attacker took only a short time from initial preparation to launching the attack.

The modules used by the attacker are based on the most basic Metasploit framework components provided by Github and have not been added to any complexity, confusion, or evasion detection mechanism. This will cause researchers to troubleshoot the source of attackers.

Source: morphisec