A zero-day vulnerability in Adobe Flash was recently used to infect a likely diplomatic target in Qatar with malware, new research from Seattle-based cybersecurity company ICEBRG and Chinese tech firms Qihoo and Tencent shows.
Adobe patched the vulnerability Thursday as part of a broader software update in a release that credited Seattle-based cybersecurity firm ICEBRG for alerting the company to the flaw. The findings come as Qatar faces significant geopolitical struggles, including a trade blockade established by the United Arab Emirates (UAE), Saudi Arabia, Bahrain and Egypt.
Over the last six months, politically-motivated Middle Eastern hacking has popped up numerous times.
In late May, Qatar was outed as being connected to a hacking operation against top Republican donor Elliot Brody, an influential critic of the gulf state. Months earlier, Qater blamed UAE for hacking and editing content hosted by the Qatari News Agency (QNA), a government-backed news program. Subsequent reporting tied the QNA hack to a mix of operators from Russia, Iran and the UAE.
Outside of the fighting factions, no government has publicly attributed the attacks to any particular country. Some experts believe the breaches and media leaks currently affecting Qatar are part of a well coordinated information warfare effort.
It’s not uncommon for nation states to rely on computer espionage tools to gain insight into government talks or other confidential secrets.
The latest hacking activity identified by the aforementioned three private sector firms was linked back to several newly registered web domains that were clearly intended for Qataris seeking domestic employment, based on Qihoo’s research. Some of these websites were registered in February, leading analysts to believe the attackers had been preparing to launch their cyber-espionage campaign for at least three months.
“All clues show this is a typical APT attack,” reads a blog post by Qihoo, one of China’s most well-regarded cybersecurity companies. The term APT refers to an “advanced persistent threat,” or elite hacking group.
At the moment, while it’s unclear what final payload was delivered through this particular Flash vulnerability, the flaw itself is significant.
The stack-based buffer overflow vulnerability allows the attacker to package an exploit into an otherwise mundane Microsoft Word document by “remotely including Flash content,” which provides an RSA-based encrypted channel to inject malicious payloads.
This arbitrary code execution technique is unique because of its “minimal static footprint,” researchers wrote.
“The combination of a remotely included Flash exploit and asymmetric cryptography are particularly powerful counters against postmortem analysis,” ICEBRG said in reference to the hacking group’s operational security.
Elsewhere Thursday, Israeli cybersecurity firm ClearSky Cybersecurity posted evidence on Twitter illustrating what appeared to be yet another cyber-espionage attack intended for a Middle Eastern news organization; this time coming from an Iranian-linked group.
"DMI Connect.doc", #oilrig related sample is using rdppath[.]com as C2. Submitted from Arab Emirates, *potentially* targeting "Dubai Media Incorporated (DMI)", the official media organization of the government of Dubai.
— ClearSky Cyber Security (@ClearskySec) June 7, 2018
The phishing document carries hints that it’s the work of “OilRig Group,” the codename for an Iranian hacking entity with loose ties to the government in Tehran. Dubai Media Incorporate is to the UAE what QNA is to Qatar; drawing questions about whether this phishing email may represent some sort of retribution for what occurred last year to QNA.
In the ongoing gulf crisis, Iran is widely seen as an ally to Qatar against Saudi Arabia and UAE.