Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flash Player Zero-Day Leaked in Hacking Team Breach Exploited in the Wild

The Adobe Flash Player zero-day exploit discovered by researchers in the Hacking Team leak has been added to several exploit kits.

The Adobe Flash Player zero-day exploit discovered by researchers in the Hacking Team leak has been added to several exploit kits.

Hacking Team, a controversial Italy-based surveillance software maker that offers its solutions to law enforcement and intelligence agencies, has been breached. The attackers leaked 400GB of data, including emails, source code, passwords, contracts, client lists and other documents.

An analysis of the leaked data has revealed the existence of at least two zero-day vulnerabilities — one in Adobe Flash Player and one in the Windows kernel. These security holes have been likely leveraged by Hacking Team to install its spying software on the devices of targeted entities.

The Flash Player zero-day (CVE-2015-5119), caused by a use-after-free (UAF) issue in the ByteArray class, affects Adobe Flash Player 18.0.0.194 and earlier. Adobe expects to patch the security bug on Wednesday, but cybercriminals have already added it to exploit kits.

The French security researcher known as Kafeine, Trend Micro and Malwarebytes reported seeing the bug being leveraged by exploit kits such as Angler, Neutrino and Nuclear Pack. Trend Micro reported that one of the payloads distributed by the exploit kits, particularly by Angler, is the Cryptowall 3.0 ransomware.

Security firms have already updated their products to ensure that their customers are protected against potential attacks until Adobe delivers a patch. Many experts also advise users to remove Flash Player altogether from their systems.

The existence of the Flash Player zero-day was reported by several security firms and researchers, but Adobe has credited Google Project Zero and Morgan Marquis-Boire for notifying the company.

Microsoft is also working on addressing the vulnerability spotted by researchers in the Hacking Team leak. However, the company believes the overall risk to its customers is limited because the vulnerability cannot be exploited on its own to gain control of a machine.

Advertisement. Scroll to continue reading.

“The [Windows] vulnerability exists in the open font type manager module (ATMFD.dll), which is provided by Adobe. The DLL is run in the kernel mode. An attacker can exploit the vulnerability to perform privilege escalation which can bypass the sandbox mitigation mechanism,” Trend Micro explained.

The attack on Hacking Team is reportedly the work of the same individual who last year targeted Gamma International, another controversial surveillance software company that has been accused of selling its products to totalitarian regimes.

Hacking Team continues to deny doing anything illegal, despite leaked documents which seem to suggest that the company is well aware that its solutions have been leveraged by repressive governments such as the ones in Sudan, Bahrain, Ethiopia, Kazakhstan, Morocco, Nigeria, Saudi Arabia, the UAE and Uzbekistan.

Marietje Schaake, a Dutch member of the European Parliament, wants Hacking Team to be investigated by the European Commission to determine if the company has violated EU sanctions regimes. The official has also asked Italian authorities to conduct an investigation because while sanctions are decided at EU level, they are enforced on national level, Schaake said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.