Kaspersky Lab researchers were able to spot the security gap 11292-2017-CVE during a direct attack, prompting the company to immediately ask companies and government agencies to quickly install the update provided by Adobe.
The Kaspersky Lab researchers believe the group behind the attack was also responsible for an attack last September, exploiting another security vulnerability known as 8759-2017-CVE
The analysis by Kaspersky Lab's experts found that the successful exploitation of the vulnerability leads to the installation of the FinSpy malware known as FinFisher on the target computer
FinSpy is a commercial software that is usually sold to
Governments or law enforcement agencies as they allow for monitoring. The use of software by the law enforcement agencies in the past has often been conducted locally to monitor local targets and people.
However, BlackOasis represented a significant exception in approach
This use, used against a wide range of targets around the world, suggests that FinSpy is being used in intelligence operations around the world.
Malicious software used in the attack is the latest version of FinSpy, a multi-technique, multi-mode, analytical tool to complicate the search and investigation process and make it more difficult.
Once installed, malicious software establishes a starting point on the target computer and is associated with command and control servers in Switzerland, Bulgaria and the Netherlands, pending further instructions for data theft.
The BlackOasis Group is concerned with a full range of political-related personalities in the Middle East, including prominent United Nations officials, bloggers and opposition activists, as well as correspondents
Regional journalists, according to Kaspersky.
The group appears to have interests in sectors of particular importance to the region in which it operates; during the year 2016, Kaspersky researchers noted a great interest in the group in Angola,
Refers to targets suspected of being linked to oil, money laundering and other activities. The Group also has an interest in international activists and thinkers.
To date, the concentration of BlackOasis victims has been observed in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, Britain and Angola.
Kaspersky experts advise all companies and organizations to take a few measures to protect their systems and data from this threat:
● Use the Killbit feature in the Flash program if it is not in use, and make sure it is fully disabled where possible.
● Implement a sophisticated multilayered security solution that covers all networks, systems, and peripherals.
● Educate and train employees against social engineering designs, often used to make a victim open a document or file, or click on a malicious link that displays his or her computer.
• Conduct regular periodic security assessments of the company's IT infrastructure.
● Use Kaspersky's Threat Intelligence solution for threat information, which tracks cyber attacks, incidents, and threats, and provides customers with important, up-to-date information.