[BreachExchange] Adobe Issues Emergency Fix to Foil North Korean Hackers

Destry Winant destry at riskbasedsecurity.com
Wed Feb 7 19:21:37 EST 2018


Adobe has rushed out an unscheduled patch to fix two critical
vulnerabilities, including one being actively exploited in the wild by
suspected North Korean hackers.

The Priority 1 bulletin APSB18-03 fixes two use after free flaws in
the bug-prone Flash Player which could lead to remote code execution.

“Adobe is aware of a report that an exploit for CVE-2018-4878 exists
in the wild, and is being used in limited, targeted attacks against
Windows users,” the firm said in an advisory. “These attacks leverage
Office documents with embedded malicious Flash content distributed via

That bug was first flagged on January 31 when South Korean CERT KISA
confirmed it existedin Adobe Flash Player and earlier

FireEye soon waded in, claiming the threat actors exploiting it were
known to them as suspected North Korean group TEMP.Reaper (aka Group

“We have observed TEMP.Reaper operators directly interacting with
their command and control infrastructure from IP addresses assigned to
the STAR-KP network in Pyongyang. The STAR-KP network is operated as a
joint venture between the North Korean Government's Post and
Telecommunications Corporation and Thailand-based Loxley Pacific,” it
explained last week.

“Historically, the majority of their targeting has been focused on the
South Korean government, military, and defense industrial base;
however, they have expanded to other international targets in the last

The purpose of the exploit is to download an encrypted embedded
payload from a compromised third-party website hosted in South Korea,
with the end goal to distribute the Dogcall (Rokrat) Remote Access

The second vulnerability patched by Adobe yesterday (CVE-2018-4877)
was discovered by the Qihoo 360 Vulcan Team working with Trend Micro's
Zero Day Initiative (ZDI).

It’s also a use after free bug which could lead to remote code
execution, although isn’t thought to be active in the wild.

More information about the BreachExchange mailing list