February 20, 2014, 1:33 PM — Abobe planned to release an emergency update for Flash Player on Thursday, after security vendor FireEye pointed to a zero-day exploit used by attackers to target visitors to websites of three nonprofits, two of which focus on national security and public policy.
The Flash exploit allowed attackers to target users of the websites of the Peterson Institute for International Economics at PIIE.com, the American Research Center in Egypt at ARCE.org and the Smith Richardson Foundation at SFR.org. The exploit can compromise Flash users on Windows XP or those with Windows 7 who have Java 1.6 or an outdated version of Microsoft Office 2007 or 2010 installed, FireEye said.
The attacks came by remote code injection, with visitors to the affected websites redirected to a server hosting the exploit through a hidden iframe, FireEye said. Representatives of the three websites didn't immediately respond to requests for comments on the attacks, but later the Peterson Institute provided a statement saying it was "taking the situation extremely seriously and doing everything we can to ensure the security of our website."
"We believe the group behind this campaign has sufficient resources ... and is committed to their mission of infecting visitors to a particular type of website," the security company said in its release on the exploit. "The threat actors likely sought to infect users to these sites for follow-on data theft, such as information relating to defense and public policy matters."
The attackers appear to be Chinese speakers and may be the same people engaged in a mid-2012 cyber-espionage campaign, FireEye said.
The attacks, dubbed "Operation GreedyWonk" by FireEye, appear to be focusing on "broad intelligence gathering efforts," Darien Kindlund, threat intelligence manager at FireEye, said via email. "Based on the websites compromised and the typical visitors to those websites, it seems they are currently focused on intel related to foreign and economic policy activities, at this time."
Adobe Thursday released a security bulletin for Flash Player 126.96.36.199 and earlier versions of the software for Windows and Macintosh, and Flash 188.8.131.526 and earlier versions for Linux. One of the patches is likely related to the exploit discovered by FireEye.