Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

Hacking Team Zero-Day Attack Hits Flash

Exploit Kits Already Using Leaked Spyware Vendor's Malware
Hacking Team Zero-Day Attack Hits Flash

Warning: Update or uninstall all versions of Flash Player to protect against a zero-day, weaponized exploit that became public when Italian spyware vendor Hacking Team was hacked, and 400 GB of corporate data leaked (see Spyware Vendor Alert: Suspend Software).

See Also: Is Cyberstorage the New Paradigm for Data Security?

Security experts have sounded that alert in the wake of reports that at least three exploit kits - automated software built by and for cybercriminals to automatically infect PCs on an industrial scale - have already incorporated the leaked Adobe Flash zero-day flaw. Researchers are also warning that the dump contains a zero-day Windows exploit, as well as a Flash exploit for CVE-2015-0349, which was patched by Adobe in April. The exploits could have been used by Hacking Team's customers to sneak the surveillance software vendor's spyware onto targets' PCs.

Hacking Team - which claims to sell only to police and government agencies, and not to regimes that violate human rights - continues to be in the hot seat after leaked documents suggest that the company violated United Nations sanctions by selling to Sudan and Russia (see Surveillance Software Firm Breached). One member of the European Parliament has already demanded that EU authorities launch a related investigation into both Hacking Team as well as the potential role played by Italian authorities.

But the hack of Hacking Team and related data dump also have immediate implications for anyone who uses the Flash browser plug-in, owing to a leaked zero-day flaw described in a leaked Hacking Team email as being "the most beautiful Flash bug for the last four years."

Adobe's related July 7 security advisory says that the vulnerability - CVE-2015-5119 - could be exploited to "cause a crash and potentially allow an attacker to take control of the affected system," and that the Flash flaw affected the most recent, fully patched versions of Flash Player for Windows, Macintosh and Linux. But in a Flash update issued July 8, Adobe has updated its software to fix the flaw.

Credit for reporting the flaw goes to Google Project Zero and ex-Google security researcher Morgan Marquis-Boire - a.k.a. "Morgan Mayhem" - says Adobe (see Google's Psychological Patch Warfare). Marquis-Boire has confirmed to Information Security Media Group that he found the flaw in the leaked Hacking Team data.

The Flash flaw has already been incorporated into three exploit kits - Angler, Neutrino and Nuclear Pack - reports "Kafeine," which is the moniker of the French security researcher who runs the Malware Don't Need Coffee blog.

Exploit Kit Warnings

"Exploit kits automate the injection of malware onto your computer, typically by using poisoned JavaScript on a hacked Web page to figure out what unpatched browser plugins you have," says Paul Ducklin, a senior security advisor at Sophos, in a blog post. "Then the kit chooses one or more exploits that seem likely to work, and uses them to deliver malware on a 'pay-per-install' basis."

Exploit kits increasingly install a range of malware - on behalf of the exploit kit crew's customers - including ransomware. "The ransomware crooks pay the exploit kit crew to push the malware out; if it subsequently works, then the victim pays the ransomware crooks," he says.

In fact, Brooks Li, a threat analyst for Trend Micro, reports that multiple exploit kits, including Angler, have been using the exploit to drop the CryptoWall 3.0 ransomware on infected PCs.

Experts: Kill Flash

Pending a fix for Flash, some security experts have recommended that users temporarily disable the software, or at least block it from being able to automatically execute. "If you haven't made Flash click-to-play, do so now," says Virus Bulletin editor Martijn Grooten via Twitter.

But many information security experts, including Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security, have long recommended that users uninstall Flash altogether. "For the average home and SMB user ... it shouldn't be required," Millard says. "I have the same level of disdain for Java, PDF and Flash."

Windows Malware

Beyond the Flash flaw contained in the Hacking Team dump, the Bangkok-based security expert known as "the Grugq" reports that the dump also contained a zero-day exploit for 32-bit Windows.

Trend Micro threat analyst Peter Pi has also confirmed in a blog post that the Hacking Team data dump also contains a previously unseen exploit for the Windows kernel flaw. More information about the exploit has yet to be released, and the vulnerability has yet to receive a CVE designation.

EU Lawmaker Demands Investigation

As security researchers continue to pore over the leaked data for signs of exploits, privacy and civil rights groups are doing the same with an eye to Hacking Team's business practices, including longstanding questions about whether the company sold its spyware to repressive regimes.

Dutch member of the European Parliament Marietje Schaake, long a vocal advocate for protecting people's privacy as well as human rights, has demanded that the European Commission launch an investigation into Hacking Team, and ascertain whether Italian authorities authorized the company to freely export its software to all countries that participate in the Wassenaar arms-control agreement.

Schaake also wants investigators to focus on leaked internal documents which suggest that Hacking Team sold its Remote Control Software, a.k.a. Galileo, to Sudan's National Intelligence and Security Services, in apparent violation of United Nations sanctions. Likewise, she says the company appears to have sold its software to Kvant, a Russian state-owned military radar producer, also in violation of UN sanctions.

"More transparency and accountability are needed around the sales of privacy-intrusive surveillance tools," Schaake says in a blog post. "Internal due diligence policies and self-regulation efforts are clearly not enough to prevent the marketing and sale of these systems from the EU to some of the world's worst human rights abusers. ... The EU must ensure it is credible in its foreign policies and hold to account the violators within its own borders."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.