Researchers have found that a trove of leaked data belonging to Italian firm Hacking Team includes exploits, some of which target zero-day vulnerabilities.
Hacking Team, a company repeatedly pegged by the security community as a seller of unethical surveillance software, ironically fell victim to an intrusion by unknown hackers who on Sunday evening posted confidential data belonging to the company, including internal emails, client information and source code.
On Tuesday, security firm Trend Micro shared that at least three exploits – two targeting Adobe Flash Player and one targeting Windows kernel – were found in the information dump.
While one of the Flash Player flaws (CVE-2015-0349) was patched in April, another (which doesn't yet have a CVE number) was touted by Hacking Team in the leaks as “the most beautiful Flash bug for the last four years.” Trend Micro threat analyst Peter Pi wrote in a Tuesday blog post that “the leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode.”
Pi explained, “In the POC, there is a readme document which describes the details of this zero-day as we can see below [image]. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected. External reports have stated that the latest version Adobe Flash (version 18.104.22.168) is also affected.”
On Tuesday, Carnegie Mellon University‘s Computer Emergency Response Team (CERT) posted an alert about the Flash zero-day, describing the bug as a user-after-free vulnerability in the ActionScript 3 ByteArray class, which can allow “attacker-controlled memory corruption.” In the alert, CERT credited the bug's discovery to Hacking Team.
Christopher Budd, global threat communications manager at Trend Micro, explained in a Tuesday interview with SCMagazine.com that, in all, two zero-days were extracted from the leak: the one affecting Flash and another found in Windows kernel. He noted, however, that as of Tuesday afternoon ET, the Flash zero-day appeared to have already been exploited by attackers.
“The Adobe vulnerability that doesn't have a CVE – we believe we've found it being used in an attack,” Budd said. “That's literally under active investigation right now.”
A separate Trend Micro blog post further explained the Windows kernel zero-day. According to the firm, the vulnerability lies in the OpenType font manager module (ATMFD.dll), a DLL run in the kernel mode, which can allow an attacker to "perform privilege escalation which can bypass the sandbox mitigation mechanism."
In an interview with SCMagazine.com, Cynthia Wong, senior internet researcher at Human Rights Watch, said that regulation is needed to curb private monetization of zero-day exploits and spyware as seen at Hacking Team.
“I think the main thing is that this industry is severely under-regulated and these companies are really operating under the shadows,” Wong said, adding these are "products used to directly violate civil rights.”
Wong directly referenced earlier grievances security advocates have expressed over Hacking Team's business practices. In March, Citizen Lab revealed that the company's technology, RCS spyware, was used by the Ethiopian government to unsuccessfully target Washington, D.C.-based journalists working for the Ethiopian Satellite Television Service (ESAT).
In a Monday email correspondence with SCMagazine.com, Edin Omanovic, a research officer at Privacy International in London, noted that “at the moment, both the EU and U.S. are looking into how they can make export restrictions around such products more effective.”
Until then, however, Trend Micro's Budd offered that white hat hackers must continue to engage in responsible disclosure whenever they come across security issues, which might otherwise fall into the wrong hands.
“The fact that we are finding these vulnerabilities in a separate quarter, underscores the danger to everyone broadly when people find a vulnerability and don't report it to the vendor,” Budd said. “The point of responsible disclosure is to ensure that everyone is as safe as they can be. People hoarding zero-days, like we are seeing with the Hacking Team, rather than disclosing them with the vendors, lessens overall security."