Connect with us

Hi, what are you looking for?



Watering Hole Attack Exploits North Korea’s Flash Flaw

An attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns.

An attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns.

The targeted vulnerability, CVE-2018-4878, first became public in early February, after South Korea’s Internet & Security Agency (KISA) issued an alert on it being abused by a North Korean hacker group. Adobe patched the flaw within a week.

By the end of February, cybercriminals were already abusing the vulnerability. The newly observed incident, Morphisec notes, is a textbook case of a watering hole assault. As part of such attacks, which are mainly focused on cyber-espionage, actors plant malware on websites their victims are likely to visit.

The newly observed incident revealed advanced evasive characteristics, as it was purely fileless, without persistence or any trace on the disk. Furthermore, it used a custom protocol on a non-filtered port.

“Generally, this advanced type of watering hole attack is highly targeted in nature and suggests that a very advanced group is behind it,” the security researchers note.

The Flash exploit used in this assault was highly similar to the one detailed in the previous analysis of the CVE-2018-4878 vulnerability, albeit it employs a different shellcode executed post exploitation.

The shellcode executes rundll32.exe and overwrites its memory with malicious code. This malicious code was designed to download additional code directly into the memory of the rundll32 process.

The security researchers also discovered that the command and control (C&C) server uses a custom protocol over the 443 port to communicate with the victim.  

Advertisement. Scroll to continue reading.

The additional code downloaded into the memory of rundll32 includes Metasploit Meterpreter and Mimikatz modules. Most of the modules were compiled on February 15, less than a week before the attack.

“As our analysis shows, this watering hole attack is of advanced evasive nature. Being purely fileless, without persistence or any trace on the disk, and the use of custom protocol on a non-filtered port, makes it a perfect stepping stone for a highly targeted attack chain. This clearly suggests that very advanced threat actors are responsible for it,” Morphisec says.

Despite these advanced evasive features, the attack used basic Metasploit framework components that were compiled just before the attack and lacked any sophistication, obfuscation or evasion, which creates confusion and makes it difficult to pinpoint the attack to an actor.

According to Morphisec, this attack, the exploit kits that were updated to target CVE-2018-4878, the campaign observed a few weeks ago, the vulnerability’s abuse by nation-based groups, all creates a certain sense of déjà vu.

“It is like the anarchy of 2-3 years ago when we had new exploits targeting a particular vulnerability discovered every week. Each one different enough to evade detection for those crucial first moments and security solutions always racing to catch up,” the security firm concludes.

Related: North Korea’s Flash Player Flaw Now Exploited by Cybercriminals

Adobe Patches Flash Zero-Day Exploited by North Korean Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.