BlackOasis is a middle eastern threat group that has targeted prominent leadership in the United Nations, as well as Turkish bloggers, activists, journalists, consultancies, and think tanks. It has been purported that Neodymium, another threat actor, is closely aligned with BlackOasis’s malicious activity. However, the exact nature of their relationship and any overlap in threat group actors remains unknown. Once again, both BlackOasis and Neodymium are heavily targeting Turkish victims. Another threat actor group, Promethium, has also targeted many of the same Turkish victims. Promethium has demonstrated many of the same campaign characteristics as evidenced by its tactics, techniques, and procedures (TTPs). Over time, it may well be the conclusion of the threat researcher community that Promethium, Neodymium, and BlackOasis have more than a few members in common and may be the same threat group.
BlackOasis has exploited a vulnerability in the Adobe Flash Player (CVE-2017-11292). Adobe Flash Player version 188.8.131.52 (and earlier versions) has a flawed byte code verification procedure. This flaw, in turn, allows an untrusted value to be used to calculate an array index. This error can lead to type confusion such that successful exploitation could lead to arbitrary code execution. The impact is possible in most major operating systems, including Windows, Mac, Chrome OS, and Linux.
BlackOasis continues to run multiple campaigns across a broad swath of the global geography. They have targeted victims in Russia, Iraq, Afghanistan, Iran, the Netherlands, Bahrain, the United Kingdom, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, and Angola.
A more recently discovered Flash zero-day exploit is one of several zero-days that the BlackOasis group has successfully exploited over the past few years. This zero-day exploit is delivered through Microsoft Office documents attached to a spam email. The malicious Word document includes an ActiveX object which contains the Flash exploit.
BlackOasis has utilized many zero-day exploits; some of them are:
- CVE-2015-5119 – June 2015. A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 184.108.40.206 and earlier versions for Windows, Macintosh, and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
- CVE-2016-0984 – June 2015. Use-after-free vulnerability in Adobe Flash Player before 220.127.116.119 and 19.x and 20.x before 18.104.22.1686 on Windows and OS X and before 22.214.171.1249 on Linux, Adobe AIR before 126.96.36.1990, Adobe AIR SDK before 188.8.131.520, and Adobe AIR SDK & Compiler before 184.108.40.2060 allows attackers to execute arbitrary code via unspecified vectors
- CVE-2016-4117 – May 2016. Adobe Flash Player 220.127.116.11 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.
- CVE-2017-8759 – Sept 2017. Microsoft .NET Frameworks 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka “.NET Framework Remote Code Execution Vulnerability.”
- CVE-2017-11292 – Oct 2017 – discussed earlier. Adobe Flash Player version 18.104.22.168 and earlier has a flawed byte code verification procedure, which allows for an untrusted value to be used in calculating an array index. This flaw can lead to type confusion, and successful exploitation could lead to arbitrary code execution.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.