After Hacking Team, the controversial peddler of zero-day exploits, found itself hacked and the Italy-based company's data was leaked onto the BitTorrent protocol, researchers at Kaspersky Lab decided to follow a hunch. The team had just read a report of the discussion between exploit seller Vitaliy Toropov and Hacking Team CEO David Vincenzetti.
In his initial email to Hacking Team, Toropov offered to sell multiple “zero-day vulnerabilities with RCE exploits for the latest versions of Flash Player, Silverlight, Java, Safari”. Never one to pass on hacker talent, Vincenzetti responded that, yes, he wanted to learn more. Ultimately, the company decided to only purchase the Flash exploit, so Kaspersky figured the vulnerability was likely being actively exploited.
“We strongly believe that discovery of these exploits and reporting them to the affected software manufacturers free of charge makes the world a bit safer for everyone,” the company wrote in a blog post about the discovery.
The team's curiosity was piqued by Toropov's detailed pitch of his Silverlight exploit. The article, by Ars Technica, gave the researchers the idea that they might be able to discover the underlying code behind the exploit, using Toropov's proof of concept and their internal tools.
They found his profile in the security issues database OSVDB, and started to investigate his other exploits, which ultimately led to the discovery of a Silverlight vulnerability that Microsoft patched on Tuesday.
Other companies, including Rook Security and Facebook developed tools specifically designed to detect known malware that was leaked after Hacking Team's breach in July, but Kaspersky believes it is the first time the leaked information was used to identify a previously undiscovered exploit.
Kaspersky noted the vulnerability is likely the same zero-day that Toropov tried to sell. “Several things make us think it's one of his exploits, such as the custom error strings,” wrote the firm's head of global research and analysis team Costin Raiu and senior malware analyst Anton Ivanov. “Of course, there is no way to be sure and there might be several Silverlight exploits out there.”