Security Experts:

Connect with us

Hi, what are you looking for?



Flash Player Zero-Day Leaked in Hacking Team Breach Exploited in the Wild

The Adobe Flash Player zero-day exploit discovered by researchers in the Hacking Team leak has been added to several exploit kits.

The Adobe Flash Player zero-day exploit discovered by researchers in the Hacking Team leak has been added to several exploit kits.

Hacking Team, a controversial Italy-based surveillance software maker that offers its solutions to law enforcement and intelligence agencies, has been breached. The attackers leaked 400GB of data, including emails, source code, passwords, contracts, client lists and other documents.

An analysis of the leaked data has revealed the existence of at least two zero-day vulnerabilities — one in Adobe Flash Player and one in the Windows kernel. These security holes have been likely leveraged by Hacking Team to install its spying software on the devices of targeted entities.

The Flash Player zero-day (CVE-2015-5119), caused by a use-after-free (UAF) issue in the ByteArray class, affects Adobe Flash Player and earlier. Adobe expects to patch the security bug on Wednesday, but cybercriminals have already added it to exploit kits.

The French security researcher known as Kafeine, Trend Micro and Malwarebytes reported seeing the bug being leveraged by exploit kits such as Angler, Neutrino and Nuclear Pack. Trend Micro reported that one of the payloads distributed by the exploit kits, particularly by Angler, is the Cryptowall 3.0 ransomware.

Security firms have already updated their products to ensure that their customers are protected against potential attacks until Adobe delivers a patch. Many experts also advise users to remove Flash Player altogether from their systems.

The existence of the Flash Player zero-day was reported by several security firms and researchers, but Adobe has credited Google Project Zero and Morgan Marquis-Boire for notifying the company.

Microsoft is also working on addressing the vulnerability spotted by researchers in the Hacking Team leak. However, the company believes the overall risk to its customers is limited because the vulnerability cannot be exploited on its own to gain control of a machine.

“The [Windows] vulnerability exists in the open font type manager module (ATMFD.dll), which is provided by Adobe. The DLL is run in the kernel mode. An attacker can exploit the vulnerability to perform privilege escalation which can bypass the sandbox mitigation mechanism,” Trend Micro explained.

The attack on Hacking Team is reportedly the work of the same individual who last year targeted Gamma International, another controversial surveillance software company that has been accused of selling its products to totalitarian regimes.

Hacking Team continues to deny doing anything illegal, despite leaked documents which seem to suggest that the company is well aware that its solutions have been leveraged by repressive governments such as the ones in Sudan, Bahrain, Ethiopia, Kazakhstan, Morocco, Nigeria, Saudi Arabia, the UAE and Uzbekistan.

Marietje Schaake, a Dutch member of the European Parliament, wants Hacking Team to be investigated by the European Commission to determine if the company has violated EU sanctions regimes. The official has also asked Italian authorities to conduct an investigation because while sanctions are decided at EU level, they are enforced on national level, Schaake said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.