Adobe updated Flash Player on Tuesday to address a zero-day vulnerability exploited by what experts believe to be a North Korean hacker group in attacks aimed at individuals in South Korea.
The existence of the vulnerability, tracked as CVE-2018-4878, came to light on January 31 when South Korea’s Internet & Security Agency (KISA) issued an alert. Cybersecurity experts based in the country said the flaw had been used by North Korean threat actors against South Koreans who focus on North Korea research.
Adobe has promised to release a patch sometime this week and it has kept its promise. Flash Player version 28.0.0.161 should fix the vulnerability, which the company has described as a use-after-free bug that allows remote code execution.
The security hole, which affects Flash Player 28.0.0.137 and earlier, was brought to the company’s attention by South Korea’s KrCERT/CC.
The latest Flash release also patches CVE-2018-4877, which is also a use-after-free vulnerability that allows remote code execution. The flaw was reported to Adobe by bo13oy of Qihoo 360 Vulcan Team via Trend Micro’s Zero Day Initiative (ZDI). Adobe does not appear to be aware of any attacks exploiting CVE-2018-4877.
FireEye has analyzed the attacks involving CVE-2018-4878 and believes the zero-day has been used by a group it tracks as TEMP.Reaper. The security firm determined that these hackers are likely based in North Korea based on IP addresses used to access command and control (C&C) servers.
“The majority of their targeting has been South Korea focused, targeting the government, military, and defense industrial base as well as other industry,” FireEye said. “They have also taken an interest in predictable North Korean interests such as unification efforts and defectors.”
The attacks observed by FireEye involved malicious Office documents and spreadsheets designed to exploit the Flash Player zero-day in an effort to deliver a piece of malware tracked by the company as DOGCALL.
Cisco Talos has also analyzed the campaign and attributed it to an actor it tracks as Group 123. While Cisco has not explicitly blamed North Korea for attacks launched by Group 123, the company has detailed several campaigns aimed at South Korea that often use North Korea-related topics as a lure when delivering malware.
Researchers pointed out that the addition of a zero-day exploit to its arsenal shows that the group has become highly motivated and sophisticated.
Related: U.S. Government Shares Details of FALLCHILL Malware Used by North Korea
Related: Australia, Canada, Others Blame North Korea for WannaCry Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
