Analysts find exploits in Hacking Team leaks, investigate zero-day attacks
Following the Hacking Team breach, Trend Micro discovered three exploits: two that target Flash Player and another that targets Windows kernel.
Researchers have found that a trove of leaked data belonging to Italian firm Hacking Team includes exploits, some of which target zero-day vulnerabilities.
Hacking Team, a company repeatedly pegged by the security community as a seller of unethical surveillance software, ironically fell victim to an intrusion by unknown hackers who on Sunday evening posted confidential data belonging to the company, including internal emails, client information and source code.
On Tuesday, security firm Trend Micro shared that at least three exploits – two targeting Adobe Flash Player and one targeting Windows kernel – were found in the information dump.
While one of the Flash Player flaws (CVE-2015-0349) was patched in April, another (which doesn't yet have a CVE number) was touted by Hacking Team in the leaks as “the most beautiful Flash bug for the last four years.” Trend Micro threat analyst Peter Pi wrote in a Tuesday blog post that “the leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode.”
Pi explained, “In the POC, there is a readme document which describes the details of this zero-day as we can see below [image]. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected. External reports have stated that the latest version Adobe Flash (version 18.104.22.168) is also affected.”
On Tuesday, Carnegie Mellon University‘s Computer Emergency Response Team (CERT) posted an alert about the Flash zero-day, describing the bug as a user-after-free vulnerability in the ActionScript 3 ByteArray class, which can allow “attacker-controlled memory corruption.” In the alert, CERT credited the bug's discovery to Hacking Team.
Christopher Budd, global threat communications manager at Trend Micro, explained in a Tuesday interview with SCMagazine.com that, in all, two zero-days were extracted from the leak: the one affecting Flash and another found in Windows kernel. He noted, however, that as of Tuesday afternoon ET, the Flash zero-day appeared to have already been exploited by attackers.
“The Adobe vulnerability that doesn't have a CVE – we believe we've found it being used in an attack,” Budd said. “That's literally under active investigation right now.”
A separate Trend Micro blog post further explained the Windows kernel zero-day. According to the firm, the vulnerability lies in the OpenType font manager module (ATMFD.dll), a DLL run in the kernel mode, which can allow an attacker to "perform privilege escalation which can bypass the sandbox mitigation mechanism."