Attackers Likely to Exploit Flash Player and Windows Kernel Vulnerabilities Exposed in Hacking Team Breach
Researchers say they have identified several exploits, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team.
Hacking Team, a controversial Italy-based company that provides lawful interception solutions to law enforcement and intelligence agencies from all over the world, confirmed on Monday morning that its systems had been breached, just hours after a hacker took over its Twitter account and started publishing files and emails allegedly stolen from the firm.
The attacker leaked a total of 400GB of data, including contracts, client lists, emails, passwords and source code.
Researchers at Trend Micro have analyzed the leaked data and uncovered several exploits, including a zero-day for Adobe Flash Player.
A readme document found alongside proof-of-concept (PoC) code for the Flash Player zero-day describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”
According to the document, the flaw affects Flash Player 9 and later on Internet Explorer, Chrome, Firefox and Safari. Trend Micro has analyzed the vulnerability and determined that it’s caused by a use-after-free (UAF) issue in the ByteArray class.
Symantec also confirmed the existence of this zero-day vulnerability in Adobe Flash Player.
“Analysis by Symantec has confirmed the existence of this vulnerability by replicating the proof-of-concept exploit on the most recent, fully patched version of Adobe Flash (18.104.22.168) with Internet Explorer. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected computer,” the security firm said in a blog post.
Symantec believes it is possible that the security hole has already been exploited in the wild. The exploit will likely be incorporated into exploit kits before Adobe manages to roll out a patch, the company said.
However, Adobe says it’s aware of the reports and expects to release a patch on Wednesday.
“Yes, we are aware of the report of an exploit for a previously unknown Flash Player vulnerability being published publicly and expect to release an update tomorrow, Wednesday. Note that we have not yet seen reports of this vulnerability being exploited in the wild,” Adobe told SecurityWeek.
In addition to the Flash Player exploit, Trend Micro said it also spotted an exploit for a Windows kernel zero-day vulnerability in the Hacking Team leak.
A hacker using the online moniker “Phineas Fisher” has taken credit for the attack on Hacking Team.
“I'll writeup how hacking team got hacked once they've had some time to fail at figuring out what happened and go out of business,” the hacker wrote on Twitter.
Last year, Phineas Fisher took credit for the attack on Gamma International, another controversial company that offers advanced spyware to governments. Tens of gigabytes of data were leaked from the systems of Gamma, which is best known for its FinFisher surveillance software.
Both Hacking Team and Gamma International have often been accused of selling their products to governments that don’t have a good record on democracy and human rights.
Hacking Team has confirmed that its systems have been breached, but it has not commented on the authenticity of the leaked files. The company says it has notified law enforcement and its customers, who have been instructed to suspend the use of its solutions while the incident is being investigated. Hacking Team’s official website, hackingteam.it, is currently offline.
The files leaked online seem to show that Hacking Team was well aware that its solutions had been used by oppressive regimes.
A client list found in the Hacking Team leak includes countries such as the U.S., Egypt, Ethiopia, Morocco, Nigeria, Sudan, Cyprus, Czech Republic, Germany, Hungary, Italy, Luxembourg, Poland, Russia, Spain, Switzerland, Chile, Colombia, Ecuador, Honduras, Mexico, Panama, Azerbaijan, Kazakhstan, Uzbekistan, Malaysia, Mongolia, Singapore, South Korea, Thailand, Vietnam, Bahrain, Oman, Saudi Arabia, the U.A.E, and Australia.
Hacking Team has always denied working with totalitarian governments, and even after the leak the company denies breaking any laws.
However, experts believe it will be difficult for Hacking Team to recover from this attack.
“There is no way Hacking Team will survive this document dump. They are toast,” said on Twitter Christopher Soghoian, principal technologist at the ACLU.
*Updated to clarify that only one Flash Player zero-day was found in the Hacking Team leak. Trend Micro's initial blog post stated that there were two unknown Flash Player bugs.