Researchers find previously unknown exploits among Hacking Team's leaked files

At least one new exploit for Flash Player has been confirmed

Big Data

Big Data

Researchers sifting through 400GB of data recently leaked from Hacking Team, an Italian company that sells computer surveillance software to government agencies from around the world, have already found an exploit for an unpatched vulnerability in Flash Player.

There are also reports of exploits for a vulnerability in Windows and one in SELinux, a Linux kernel security module that enforces access control policies. The flaws were supposedly used by the company's customers to silently deploy its software on computers belonging to surveillance targets.

Hacking Team was incorporated as HT in Milan and develops a computer surveillance program called Remote Control System (RCS), or Galileo. The system is sold to law enforcement and other government agencies from around the world, along with access to computer intrusion tools that are needed to deploy it.

News broke out that Hacking Team had its network compromised on Sunday, when the hacker released 400GB worth of data stolen from the company's servers, including email communications, source code, client lists, invoices, various server backups and more.

The company has been accused by privacy and human rights groups in the past of selling its software to governments with a poor track record for respecting human rights which then used it to spy on journalists and political activists. The newly leaked data suggests that the company's customers includes government agencies from countries like Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia and Sudan.

Most antivirus products detect Hacking Team's RCS as malware, but the company actively modifies the program to evade such detection.

The security community had a field day on Monday sifting through the 400GB data dump. They found things like weak passwords stored in text files; key generators and serial numbers for pirated commercial software; the source code for versions of RCS for Windows, Linux, Android, iOS, OS X and other platforms or internal documents explaining the company's services and prices.

More importantly, some security researchers claim to have found exploits for previously unknown and unpatched vulnerabilities -- these are known as zero-day exploits. They suspected that such exploits existed among the files because they're perfect for infecting users' computers with RCS and because the company's documentation suggested so.

For example, one document contains details about a service that Hacking Team calls the RCS Exploit Portal.

"HackingTeam combined its expertise in offensive security and software design to build a service that make simple to prepare and use exploits as installation vectors for RCS agents," the document reads.

According to the document, the service contains social engineering exploits, public exploits, private exploits and zero-day exploits and the company notes that the Exploit Portal always contains at least three zero-day level exploits.

One of the confirmed zero-day exploits found in the data dump affects Flash Player and can be used to infect computers when their users visit websites in Internet Explorer.

Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, tested the exploit and confirmed that it works reliably against the latest version of Flash Player running under Internet Explorer 11 on Windows 7 32-bit.

"We have not been able to get it to run on a fully patched Win 8.1 Pro with Flash installed, but it may just require some tweaking to get around additional protection mechanisms," Eiram said via email.

Adobe is aware of the reported exploit and expects to release an update for Flash Player Wednesday, an Adobe representative said via email.

There were also reports on Twitter from other security researchers about a zero-day exploit in win32k.sys, a Windows component, being found in the Hacking Team data.

Researchers from antivirus firm Trend Micro said in a blog post that the leaked Hacking Team files contain two exploits for Flash Player, one of which is already known and has been patched, and one for the Windows kernel.

Eiram's team is also looking at a potentially new Windows privilege escalation exploit that might be the same one mentioned in the other reports, but he couldn't comment beyond that because the issue hasn't been fully investigated or confirmed.

Microsoft did not immediately respond to a request for comment.

Other users reported on Twitter and Reddit that Hacking Team's data also contains an exploit for bypassing the SELinux enforcements, but that has yet to be confirmed as well.

The Hacking Team data leak and revelations come amid proposed changes to an international arms control pact called the Wassenaar Arrangement, that would restrict the export of exploits and other computer intrusion software.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityRisk Based Securitydata breachExploits / vulnerabilitiesmalwareHacking Team

More about GalileoLinuxMicrosoftNewsTrend MicroTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place