Russian APT Group Fancy Bear (APT28) Exploiting Adobe Flash Vulnerability

Proofpoint researchers recently observed an email campaign attempting to deliver malicious Word documents to US and European government entities and private businesses within the aerospace industry. These documents contain an exploit for the recently disclosed Adobe Flash Player vulnerability CVE-2017-11292. Successful exploitation of this vulnerability could allow threat actors to execute arbitrary code against Windows, MacOS, Linux, and Chrome OS operating systems. Proofpoint attributes this campaign to Fancy Bear, also known as Group 74, APT28, Tsar Team, and Sofacy, due to the use of the DealersChoice.B attack framework. The APT group BlackOasis has also been observed exploiting the same Adobe Flash vulnerability in a very targeted campaign. These groups and others have been increasing their efforts to exploit this vulnerability before the patch is widely deployed. The NJCCIC recommends users and administrators of Adobe Flash Player review the Proofpoint report and scan for the indicators of compromise (IoCs) provided to determine whether malicious activity has been observed within their networks and immediately apply the necessary patch. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.