Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hacking Team’s Flash Player Zero-Day Spotted in Attacks Prior to Breach

The Adobe Flash Player zero-day leaked earlier this week was used in limited attacks before the data breach suffered by spyware maker Hacking Team came to light.

The Adobe Flash Player zero-day leaked earlier this week was used in limited attacks before the data breach suffered by spyware maker Hacking Team came to light.

According to Trend Micro, the company’s Smart Protection Network shows that the Flash Player exploit was leveraged in attacks against users in Korea and Japan. The exploit, whose code is similar to the one leaked by hackers, appears to have been used by someone with access to Hacking Team’s products.

Trend Micro’s systems first picked up an attack against a Korean user in late June. The user in question had received spear phishing emails carrying specially crafted documents. The documents contained a URL pointing to a US-based website set up to exploit the Flash Player zero-day vulnerability in order to push a malware downloader detected as TROJ_NETISON.AB. This threat downloads Trojans detected as TROJ_FLASHUP.A and TROJ_FLASHUP.B to infected systems.

The domain hosting the exploit was visited by multiple users since as early as June 22. Many of the victims are located in Korea and one is from Japan. The security firm says it cannot confirm that all these users had been the subject of exploit attempts, but researchers believe this is a likely scenario.

“We believe this attack was generated by Hacking Team’s attack package and code,” Trend Micro threat analyst Weimin Wu wrote in a blog post. “From a purely engineering perspective, this code was very well written. Some attackers may be able to learn how to deploy and manage targeted attacks to different victims from the leaked code.”

Hackers leaked a total of 400GB of data allegedly taken from the systems of Hacking Team, an Italy-based company that has often been accused of selling its surveillance software to totalitarian regimes.

The leaked data includes emails, documents, source code, software, and exploits, including a Flash Player vulnerability (CVE-2015-5119) which Adobe patched on Wednesday with the release of version 18.0.0.203, and a Windows kernel flaw that Microsoft is working to patch.

Zscaler researchers have analyzed the exploits and remote control tools found in the leak and they have identified a Mac OS X rooting exploit, a multistage Java exploit module, driver files that could contain rootkit functionality, and various components of Hacking Team’s flagship Remote Control System (RCS) product. Experts have also identified modules designed to facilitate attacks against iOS, Android, BlackBerry and Windows systems.

The data leak appears to show that, despite denials, Hacking Team has offered its solutions to repressive governments. Civil rights advocates say the spyware maker has a lot of explaining to do, and at least one member of the European Parliament wants the company to be investigated.

However, Hacking Team appears to be more concerned with the fact that the leaked data will be abused by malicious actors.

“HackingTeam’s investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice,” Eric Rabe, the company’s chief marketing and communications officer, said in a statement on Wednesday.

“Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so,” Rabe noted. “We believe this is an extremely dangerous situation.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.