Black Arrow Cyber Alert 20 May 2024 – Flaw in Popular PDF Reader Foxit Exploited by Hackers to Deliver Variety of Malware

Executive summary

An active campaign has been identified in which a flaw in Foxit, a popular PDF reader, is being exploited by attackers to deploy a variety of malware. Check Point, who have identified the campaign have said that it has been used by multiple threat actors in campaigns ranging “from e-crime to espionage”. The campaign takes advantage of a flaw in which the PDF reader is set to accept a document as trusted by default.  Once a user clicks OK on this, a second display pops up which has the default option of allowing the PDF to open additional programs and execute commands.

What’s the risk to me or my business?

There is a risk that organisations using Foxit PDF reader are vulnerable to this exploitation, which has a low detection rate. Additionally, this risk extends to employees who have access to corporate data on their personal device and are using Foxit. In both cases, the confidentiality, integrity and availability of information is at risk.

Reports indicate that the malicious PDF’s are being distributed in traditional manners including email, as well as social media such as Facebook, capitalising on the low-level of detection of this exploit.

What can I do?

Black Arrow recommends organisations evaluate the most suitable risk treatment approach for their environment. This may involve exploring alternative software solutions or uninstalling the affected software altogether. Additionally, disabling non-essential features, such as command prompt and PowerShell execution, for standard users is recommended. Cyber awareness training should also emphasise the importance of not opening unexpected files or granting permissions via pop-up windows to mitigate risks.

#threatadvisory #threatintelligence #cybersecurity

Further information from Check Point can be found here:

https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/