Security Experts:

Flash Player Zero-Day Leaked in Hacking Team Breach Exploited in the Wild

The Adobe Flash Player zero-day exploit discovered by researchers in the Hacking Team leak has been added to several exploit kits.

Hacking Team, a controversial Italy-based surveillance software maker that offers its solutions to law enforcement and intelligence agencies, has been breached. The attackers leaked 400GB of data, including emails, source code, passwords, contracts, client lists and other documents.

An analysis of the leaked data has revealed the existence of at least two zero-day vulnerabilities -- one in Adobe Flash Player and one in the Windows kernel. These security holes have been likely leveraged by Hacking Team to install its spying software on the devices of targeted entities.

The Flash Player zero-day (CVE-2015-5119), caused by a use-after-free (UAF) issue in the ByteArray class, affects Adobe Flash Player 18.0.0.194 and earlier. Adobe expects to patch the security bug on Wednesday, but cybercriminals have already added it to exploit kits.

The French security researcher known as Kafeine, Trend Micro and Malwarebytes reported seeing the bug being leveraged by exploit kits such as Angler, Neutrino and Nuclear Pack. Trend Micro reported that one of the payloads distributed by the exploit kits, particularly by Angler, is the Cryptowall 3.0 ransomware.

Security firms have already updated their products to ensure that their customers are protected against potential attacks until Adobe delivers a patch. Many experts also advise users to remove Flash Player altogether from their systems.

The existence of the Flash Player zero-day was reported by several security firms and researchers, but Adobe has credited Google Project Zero and Morgan Marquis-Boire for notifying the company.

Microsoft is also working on addressing the vulnerability spotted by researchers in the Hacking Team leak. However, the company believes the overall risk to its customers is limited because the vulnerability cannot be exploited on its own to gain control of a machine.

“The [Windows] vulnerability exists in the open font type manager module (ATMFD.dll), which is provided by Adobe. The DLL is run in the kernel mode. An attacker can exploit the vulnerability to perform privilege escalation which can bypass the sandbox mitigation mechanism,” Trend Micro explained.

The attack on Hacking Team is reportedly the work of the same individual who last year targeted Gamma International, another controversial surveillance software company that has been accused of selling its products to totalitarian regimes.

Hacking Team continues to deny doing anything illegal, despite leaked documents which seem to suggest that the company is well aware that its solutions have been leveraged by repressive governments such as the ones in Sudan, Bahrain, Ethiopia, Kazakhstan, Morocco, Nigeria, Saudi Arabia, the UAE and Uzbekistan.

Marietje Schaake, a Dutch member of the European Parliament, wants Hacking Team to be investigated by the European Commission to determine if the company has violated EU sanctions regimes. The official has also asked Italian authorities to conduct an investigation because while sanctions are decided at EU level, they are enforced on national level, Schaake said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.