Adobe releases an out-of-band Flash Player update addressing a zero-day vulnerability being exploited by a little-known APT group. The group known as Black Oasis was, as recently as this month, using exploits for the flaw to drop FinSpy as a payload. The vulnerability, CVE-2017-11292, was privately disclosed Oct. 10 by researchers at Kaspersky Lab, who saw the payload and exploit used against a customer s network. The attackers spread the exploit via email, embedding the Flash exploit inside an Active X object inside a Word document.
Source: https://threatpost.com/adobe-patches-flash-zero-day-exploited-by-black-oasis-apt/128467/