The Hacking Team Leak, Zero-Days, Patches, and More Zero-Days [updated]
A lot has happened since the surveillance software company Hacking Team got hacked last week. The breach exposed hundreds of gigabytes of their internal data online—including proof-of-concept exploits for Adobe Flash Player vulnerabilities, and one for the Windows Kernel—basically opening a Pandora's box of exploits and vulnerabilities to the Internet.
Evidently, a lot of individuals opened that box, saw what was inside, and ran with it. After the leak, a number of exploit kits 1
have been updated to include the exploit for the first Flash vulnerability (CVE-2015-5119), which, according to Adobe, affected all versions of Flash Player. The first identified zero-day vulnerability has already been acknowledged and patched by Adobe on July 8th.
It didn't stop there though. A few days later, another zero-day vulnerability (CVE-2015-5122) was found from the Hacking Team leak that, if exploited, could allow an attacker to take control of the vulnerable system. This second known vulnerability was identified as a proof-of-concept that currently remains unpatched. A third zero-day vulnerability (CVE-2015-5123)—another POC from the Hacking Team leak—surfaced shortly after.
The two new vulnerabilities make for three Adobe Flash Player vulnerabilities in a week. Both CVE-2015-5122 and CVE-2015-5123 remain unpatched, and it's recommended that users temporarily disable Flash to avoid possible attacks. Trend Micro Deep Security features vulnerability protection that protects users from threats related to this vulnerability.The breach exposed hundreds of gigabytes of their internal data online, basically opening a Pandora's box of exploits and vulnerabilities to the Internet.
Adobe has released a security advisory that tags them as critical vulnerabilities that affect Flash Player 188.8.131.52 and earlier versions for Windows, Mac, and Linux. Adobe expects to release an update that fixes these two vulnerabilities "during the week of July 12, 2015." Stay tuned for updates.
Update - July 14: After finding three separate zero-days that affected Adobe Flash, another zero-day—still connected to the Hacking Team incident—has been discovered. Designated as CVE-2015-2425, this vulnerability is an Internet Explorer flaw that can allow an attacker to take over a user's system. There are no known attacks that exploit this vulnerability, but Microsoft has published a security bulletin for the critical flaw, and has already released a fix for this in their latest Patch Tuesday update.
Update – July 16: The Hacking Team's leaked files totaled 400GB, and it wasn't limited to vulnerabilities. An analysis of the files also revealed mobile threats that can affect iOS and Android platforms. First came a report about HT's surveillance software that could be slipped into a non-jailbroken phone. Then Trend Micro researchers found a fake news app that can circumvent filtering in Google Play. Called "BeNews", it's possible that the app was used as a lure for downloading RCSAndroid malware into a target's device. 2
Update – July 20: A Windows zero-day vulnerability has been discovered in the Hacking Team's leaked files. Discovered by Trend Micro researchers, the vulnerability could be used to cause a Windows local privilege escalation (LPE) that would allow attackers to infect a victim's system. Exploiting this flaw could allow an attacker to remotely control the affected system . The vulnerability (CVE-2015-2426) has already been reported to Microsoft, and a patch has already been released to fix it.
Update – July 21: More on the mobile front: the code for Hacking Team's open-source malware suite RCSAndroid (Remote Control System Android) has been found in the leaked files. The company was selling RCSAndroid as a tool for monitoring targets. The code can be considered as one of the most sophisticated, professionally developed Android malware ever exposed, and allows the RCSAndroid app to run a number of intrusive spy routines. 3
It's very powerful, and it's currently out in the wild and available for cybercriminals to tweak for their purposes.
For now, users are recommended to avoid installing apps from third-party sources, update to the latest OS version, and install a mobile security solution. 4
Mobile Security for Android can protect against these types of attacks.
For more technical details on the Hacking Team leak and the discovered zero-days, here are the latest updates from the TrendLabs Security Intelligence Blog:
- Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak
- A Look at the Open Type Font Manager Vulnerability from the Hacking Team Leak
- Hacking Team Flash Zero-Day Integrated Into Exploit Kits
- Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1
- Another Zero-Day Vulnerability Arises from Hacking Team Data Leak
- New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak
- Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems
- “Gifts” From Hacking Team Continue, IE Zero-Day Added to Mix
- July 2015 Patch Tuesday: Microsoft, Adobe, and Oracle Roll out Security Patches for Zero-Day Vulnerabilities
- Fake News App in Hacking Team Dump Designed to Bypass Google Play
- Hacking Team Leak Uncovers Another Windows Zero-Day, Fixed In Out-Of-Band Patch
- Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.