After having 400 GB of its internal communications and company secrets stolen and leaked online earlier this week, Hacking Team faced something like a PR nightmare.
The company stumbled at first to get a comment out and remained silent throughout most of Monday, when the story broke. However, yesterday, Spokesman Eric Rabe took to the company's blog to issue its stance and concerns over who might now have access to its arsenal of zero-days and exploitable vulnerabilities.
“Before the attack, Hacking Team could control who had access to the technology, which was sold exclusively to governments and government agencies,” the post said. “Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.”
The company deems this an “extremely dangerous situation,” Rabe wrote.
The Italy-based Hacking Team sold its surveillance products to governments around the world, including to controversial authorities in Ethiopia and Sudan.
Although many online commenters pointed out perceived fallacies between the company's idea of good entities and bad ones, others noted that while the governments using the firm's technology might not fit everyone's definition of “upstanding,” the fallout from the breach does put malware and vulnerabilities into cybercriminals' hands.
“I am not sure why people are laughing at Hacking Team statement of bad actors now being able to use their spy malware,” tweeted contractor and iOS researcher Will Strafach. “They are not wrong.”
Among the tools added to criminals' arsenal is a Flash Player zero-day, which Adobe patched on Wednesday, and a Windows kernel vulnerability that remains unpatched. The use-after-free Flash bug could lead to a crash or remote code execution. The kernel flaw allows for privilege escalation on the target system in order to bypass security measures.
Zscaler wrote in a blog post that in addition to these vulnerabilities, it found various modules and other tools Hacking Team used to compromise victims.
Of particular note was a hardcoded IP address that Zscaler believes is a server Hacking Team uses to communicate with compromised machines.
Michael Sutton, CISO at Zscaler, told SCMagazine.com this IP address can serve as a primary indicator of compromise.
“There's no reason for your machine to have communication with that IP address unless you're communicating with some of [Hacking Team's] tools,” he said.
The breach also definitively proved that the Italian firm's tools could compromise most any device, with support for Android, iOS, Blackberry and Windows.
“For the most part, [Hacking Team had] tools taking advantage of already known techniques and exploits [in addition to the zero-days],” Sutton said. “Now, that said, this is a huge archive, and it's quite likely that more will emerge from it”