Adobe has plugged a gap in its Flash Player that was reportedly being used by hackers to track down Syrian dissidents speaking out against the country’s government.
Security experts at Kaspersky Labs first discovered the bug earlier on this month when it noticed two new zero-day exploits out in the wild based on the CVE-2014-0515 vulnerability.
Attackers carried out a watering hole attack using the two bugs using a site created by the Syrian Ministry of Justice at http://jpic.gov.sy that hosts a forum for the country’s people to complain about law and order infractions.
The attacker, who was using the @olivertuckedout Twitter account, announced that the site was compromised in September 2013 and the flaw being exploited involved the Flash Player Pixel Bender video and image processing component, which itself is no longer supported by Adobe.
“The link to these exploits is as follows: http://jpic.gov.sy/css/images/_css/***********. When we entered the site, the installed malware payloads were already missing from the "_css" folder. We presume the criminals created a folder whose name doesn't look out of place on an administration resource, and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site,” stated Kaspersky Lab Expert Vyacheslav Zakorzhevsky
Adobe issued fixes for Flash Player 184.108.40.206 and earlier for Windows, 220.127.116.11 and earlier for Mac and 18.104.22.1680 and earlier for Linux.
“It's likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this,” Zakorzhevsky added.