A critical Foxit PDF Reader vulnerability are generating unusual pattern of behaviors. This exploit triggers security warnings designed to deceive users to execute harmful commands. Read this Cybersecurity Threat Advisory to learn recommendations to minimize your risks.
What is the threat?
The critical vulnerability in Foxit PDF Reader enables attackers to embed malicious scripts within a PDF file. Upon opening, it executes and can lead to various malicious activities such as data exfiltration, ransomware deployment, or further network infiltration.
The vulnerability stems from a flawed design in Foxit PDF Reader where it defaults to ‘OK’ as the selected option when opening a PDF file. This design choice can lead many users to disregard the warnings and inadvertently execute the malicious code. The malicious command is executed when the victim agrees to the default options twice. When a user carelessly proceeds with the default option twice, the exploit is triggered, downloading and executing a payload from a remote server.
Why is it noteworthy?
This flaw allows attackers to distribute several malware families, including ransomware (e.g., Ryuk), spyware (e.g., Agent Tesla), and remote access Trojans (RATs) (e.g., NanoCore), through malicious PDF files. Variants of this exploit are actively utilized in the wild, with a low detection rate due to the prevalent use of Adobe Reader in most sandboxes and antivirus solutions, as Adobe Reader is not vulnerable to this specific exploit. Various exploit builders, ranging from .NET to Python, have been used to deploy this exploit. Multiple threat actors, from e-crime to espionage, have been shared via nontraditional means such as Facebook.
The combination of ease of exploitation and the broad user base of Foxit PDF Reader amplifies the potential impact of this threat.
What is the exposure or risk?
Organizations using Foxit PDF Reader are at high risk of compromise. The exploit can lead to unauthorized access to sensitive data, disruption of business operations, and financial losses due to ransomware attacks. Additionally, the ability of the exploit to propagate within a network increases the risk of widespread damage. Attackers can use this flaw to establish a foothold in targeted systems, serving as a gateway for further sophisticated attacks. It is imperative for organizations to address this issue promptly.
What are the recommendations?
CSB recommends the following actions to keep your systems protected against this threat:
- Update operating systems and applications to prevent further exploitation
- Educate employees of this ongoing risk
- Be vigilant of unexpected emails with links, especially from unknown senders.
References:
For more in-depth information about the recommendations, please visit the following links:
