Incident: Adobe Flash Vulnerability Exploited for Spying Tools Distribution

Published Date: 2017-10-17

Postmortem Analysis
Timeline 1. The software failure incident happened on October 10, 2017 [64293].
System The system that failed in the software failure incident described in the article is: 1. Adobe Flash - The vulnerability exploited in the incident was related to Adobe Flash, which allowed attackers to install spying tools on victims' computers [64293].
Responsible Organization 1. BlackOasis group [64293]
Impacted Organization 1. Governments of various countries who are members of the United Nations 2. Oil and gas companies in several regions 3. Activists and several non-governmental organizations (NGOs) in the UK 4. Law enforcement agencies around the world (potentially impacted by the misuse of FinSpy) [64293]
Software Causes 1. The software cause of the failure incident was a security vulnerability in Adobe Flash that allowed attackers to install spying tools on victims' computers [64293].
Non-software Causes 1. The attackers targeted governments of various countries who are members of the United Nations and oil and gas companies in several regions [64293]. 2. Activists and several non-governmental organizations (NGOs) in the UK were also targeted by the attackers [64293].
Impacts 1. The software failure incident led to the installation of spying tools on victims' computers, affecting governments of various countries, oil and gas companies, activists, and non-governmental organizations [64293].
Preventions 1. Regular software updates and patching: Adobe was able to prevent the software failure incident by promptly patching the Flash security flaw once it was reported by Kaspersky Lab [64293]. 2. Enhanced file type restrictions: Microsoft could consider implementing restrictions on certain types of files from launching when Word documents are opened to prevent the embedding of malicious Flash files [64293]. 3. Phasing out vulnerable software: Gradually phasing out vulnerable software like Adobe Flash, which is known for security issues, can help reduce the risk of such incidents in the future [64293].
Fixes 1. Adobe released a patch to fix the Flash security vulnerability exploited by the attackers [64293]. 2. Web browsers now come with protections to prevent attackers from exploiting Flash, which has been effective in curtailing Flash exploits in the browser [64293]. 3. Microsoft could consider blocking certain types of files from launching when Word documents are opened to prevent similar attacks in the future [64293].
References 1. Kaspersky Lab researchers [64293] 2. Adobe [64293]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the FinSpy malware being used to distribute spying tools has happened again at the same organization, Gamma International. The incident involved the exploitation of a Flash security vulnerability to install spying tools on victims' computers [64293]. This indicates a recurring issue with the security of Gamma International's surveillance software product, FinSpy. (b) The software failure incident involving the exploitation of a Flash security vulnerability to distribute spying tools has also affected multiple organizations, including governments of various countries who are members of the United Nations, as well as oil and gas companies in several regions. Additionally, activists and several non-governmental organizations (NGOs) in the UK were targeted by the attackers. This demonstrates that the same type of software failure incident has impacted various organizations beyond just Gamma International [64293].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase: The incident described in the article is related to a security vulnerability in Adobe Flash that was exploited by attackers to distribute spying tools. The vulnerability was delivered through malicious Flash files embedded in Microsoft Word documents, which were then sent as email attachments to targets. This indicates a failure in the design phase of the software, where the vulnerability in Flash allowed for the exploitation by attackers to install spying tools on victims' computers [64293]. (b) The software failure incident related to the operation phase: The operation phase failure in this incident can be attributed to the misuse of the system by attackers. The attackers exploited the security vulnerability in Adobe Flash by embedding malicious Flash files in Microsoft Word documents and sending them as email attachments to targets. When the recipients opened the document, the FinSpy malware was secretly installed on their computers. This misuse of the system by attackers led to the successful installation of spying tools on victims' computers, highlighting a failure in the operation phase of the software [64293].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident in this case was due to a security bug in Adobe Flash that allowed attackers to install spying tools on victims' computers. The vulnerability was exploited by embedding malicious Flash files in Microsoft Word documents, which when opened, allowed the FinSpy malware to secretly install itself [64293]. (b) outside_system: The attackers, identified as a group called BlackOasis, were targeting governments of various countries, oil and gas companies, activists, and non-governmental organizations. The exploit was discovered by Kaspersky Lab researchers, who promptly contacted Adobe to address the issue. The attackers leveraged legal surveillance tools like FinSpy for their malicious activities, highlighting the use of external tools for unauthorized espionage [64293].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was primarily due to non-human actions. The incident involved a security vulnerability in Adobe Flash that was exploited by attackers to distribute spying tools. The vulnerability was discovered by Kaspersky Lab researchers, and the spying software, FinSpy, was secretly installed when victims opened malicious Flash files embedded in Microsoft Word documents sent as email attachments [64293]. The exploit did not require direct human interaction to trigger the installation of the malware. (b) However, human actions were also involved in this incident. The attackers, identified as a group called BlackOasis, actively targeted governments of various countries, oil and gas companies, activists, and non-governmental organizations using the exploit. Additionally, Kaspersky Lab contacted Adobe upon discovering the vulnerability, leading to Adobe publishing a patch to address the security flaw [64293].
Dimension (Hardware/Software) software (a) The software failure incident occurring due to hardware: - The article does not mention any hardware-related issues contributing to the software failure incident. Therefore, it is unknown if the incident was caused by hardware [64293]. (b) The software failure incident occurring due to software: - The software failure incident in this case was due to a security bug in Adobe Flash that was exploited by attackers to distribute spying tools. The flaw allowed the FinSpy malware to secretly install itself when victims opened malicious Flash files embedded in Microsoft Word documents [64293].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the article is malicious in nature. The incident involved a Flash security vulnerability being exploited by attackers to distribute spying tools, specifically the FinSpy malware, to victims' computers. The attackers embedded malicious Flash files in Microsoft Word documents and sent them as email attachments to targets, with the intent to secretly install the spying software [64293]. The attackers, believed to be a group called BlackOasis, targeted governments of various countries, oil and gas companies, activists, and non-governmental organizations [64293]. The use of the FinSpy surveillance software, developed by Gamma International, for malicious purposes by the attackers highlights the malicious intent behind the software failure incident. The incident involved the exploitation of a security flaw in Adobe Flash to carry out espionage activities, indicating a deliberate attempt to harm the targeted systems and compromise sensitive information [64293].
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident: The software failure incident described in the article was not due to poor decisions but rather a deliberate and malicious act by attackers. The attackers, identified as the group BlackOasis, exploited a Flash security vulnerability to distribute spying tools, specifically the FinSpy malware, to target governments, oil and gas companies, activists, and NGOs in various countries [64293]. This incident was a result of intentional actions aimed at conducting espionage activities rather than poor decisions.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the article can be attributed to development incompetence. The vulnerability exploited by the attackers to distribute spying tools was a security flaw in Adobe Flash that allowed the installation of the FinSpy malware [64293]. This flaw was discovered by Kaspersky Lab researchers, indicating that it was a result of a lack of professional competence in ensuring the security of the software during development. (b) Additionally, the incident can also be categorized as accidental. The attackers, identified as the group BlackOasis, used the vulnerability in Flash to distribute spying tools to targets, including governments, oil and gas companies, activists, and NGOs. The exploit was delivered through malicious Flash files embedded in Microsoft Word documents sent as email attachments [64293]. This accidental exploitation of the vulnerability highlights how unintended consequences can arise from software flaws.
Duration temporary The software failure incident described in the article is temporary. The incident involved a Flash security vulnerability that was being exploited by attackers to distribute spying tools. Adobe promptly patched the security flaw after being notified by Kaspersky Lab, indicating that the issue was not permanent and was addressed through a software update [64293].
Behaviour other (a) crash: The software failure incident described in the article does not involve a crash where the system loses state and does not perform any of its intended functions [64293]. (b) omission: The failure in this incident is not due to the system omitting to perform its intended functions at an instance(s) [64293]. (c) timing: The incident is not related to the system performing its intended functions correctly, but too late or too early [64293]. (d) value: The software failure incident is not attributed to the system performing its intended functions incorrectly [64293]. (e) byzantine: The behavior of the software failure incident does not involve the system behaving erroneously with inconsistent responses and interactions [64293]. (f) other: The software failure incident in the article is related to a security bug in Adobe Flash that was being exploited to distribute spying tools, specifically the FinSpy malware, rather than exhibiting any of the behaviors described in options (a) to (e) [64293].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, other (a) death: People lost their lives due to the software failure - No information in the provided article about people losing their lives due to the software failure incident [64293]. (b) harm: People were physically harmed due to the software failure - No information in the provided article about people being physically harmed due to the software failure incident [64293]. (c) basic: People's access to food or shelter was impacted because of the software failure - No information in the provided article about people's access to food or shelter being impacted due to the software failure incident [64293]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident involved attackers using a Flash security vulnerability to distribute spying tools, impacting victims' computers by installing spying software [64293]. (e) delay: People had to postpone an activity due to the software failure - The software failure incident did not mention any delays in activities due to the incident [64293]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident involved the installation of spying tools on victims' computers, which can be considered as impacting non-human entities (computers) [64293]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had real observed consequences, such as the installation of spying tools on victims' computers [64293]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article discussed the potential consequences of using legal surveillance tools for unlawful purposes, contributing to the increasing climate of world cyber war, but it did not mention any specific theoretical consequences that did not occur [64293]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident led to the installation of spying software on victims' computers, impacting their privacy and security [64293].
Domain information, government (a) The failed system was intended to support the industry of information production and distribution. The software failure incident involved a Flash security vulnerability that was being exploited to distribute spying tools, targeting governments, oil and gas companies, activists, and non-governmental organizations [64293].

Sources

Back to List