Security Experts:

Hacking Team’s Flash Player Zero-Day Spotted in Attacks Prior to Breach

The Adobe Flash Player zero-day leaked earlier this week was used in limited attacks before the data breach suffered by spyware maker Hacking Team came to light.

According to Trend Micro, the company’s Smart Protection Network shows that the Flash Player exploit was leveraged in attacks against users in Korea and Japan. The exploit, whose code is similar to the one leaked by hackers, appears to have been used by someone with access to Hacking Team’s products.

Trend Micro’s systems first picked up an attack against a Korean user in late June. The user in question had received spear phishing emails carrying specially crafted documents. The documents contained a URL pointing to a US-based website set up to exploit the Flash Player zero-day vulnerability in order to push a malware downloader detected as TROJ_NETISON.AB. This threat downloads Trojans detected as TROJ_FLASHUP.A and TROJ_FLASHUP.B to infected systems.

The domain hosting the exploit was visited by multiple users since as early as June 22. Many of the victims are located in Korea and one is from Japan. The security firm says it cannot confirm that all these users had been the subject of exploit attempts, but researchers believe this is a likely scenario.

“We believe this attack was generated by Hacking Team’s attack package and code,” Trend Micro threat analyst Weimin Wu wrote in a blog post. “From a purely engineering perspective, this code was very well written. Some attackers may be able to learn how to deploy and manage targeted attacks to different victims from the leaked code.”

Hackers leaked a total of 400GB of data allegedly taken from the systems of Hacking Team, an Italy-based company that has often been accused of selling its surveillance software to totalitarian regimes.

The leaked data includes emails, documents, source code, software, and exploits, including a Flash Player vulnerability (CVE-2015-5119) which Adobe patched on Wednesday with the release of version 18.0.0.203, and a Windows kernel flaw that Microsoft is working to patch.

Zscaler researchers have analyzed the exploits and remote control tools found in the leak and they have identified a Mac OS X rooting exploit, a multistage Java exploit module, driver files that could contain rootkit functionality, and various components of Hacking Team’s flagship Remote Control System (RCS) product. Experts have also identified modules designed to facilitate attacks against iOS, Android, BlackBerry and Windows systems.

The data leak appears to show that, despite denials, Hacking Team has offered its solutions to repressive governments. Civil rights advocates say the spyware maker has a lot of explaining to do, and at least one member of the European Parliament wants the company to be investigated.

However, Hacking Team appears to be more concerned with the fact that the leaked data will be abused by malicious actors.

“HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice,” Eric Rabe, the company’s chief marketing and communications officer, said in a statement on Wednesday.

“Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so,” Rabe noted. “We believe this is an extremely dangerous situation.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.