Milan-based surveillance software company Hacking Team became the target of a breach carried out by unknown attackers. Over the weekend, troves of sensitive data—all 440 GB of secret source code and other internal data—have been exposed online. Simultaneously, hackers have also hijacked the firm’s official Twitter account (which was defaced and renamed to "Hacked Team") to expose screenshots of stolen files from the said breach.
Hacking Team is known for selling the Da Vinci surveillance software to law enforcement agencies and governments. The software allows law enforcement agencies to look into encrypted files and communications with the use of legal “offensive security services” such as malware and vulnerabilities to penetrate a network. The incident has turned the tables, with a huge chunk of their data shared via BitTorrent that includes email correspondences, official documentations, invoices, audio recordings, and source code, among others.
Aside from exposing sensitive internal data, the data dump also included tools that the company used to carry out attacks, such as samples of exploits for Adobe Flash Player vulnerabilities and one for the Windows Kernel. The exploit for Adobe Flash Player was described by the company itself as one of the “most beautiful Flash bugs for the last four years”. This leaked package includes a Flash zero-day proof-of-concept (POC) which has the capability to run the Windows calculator and a release version containing a real attack shell code. The readme document of the POC states that the exploit can affect Adobe Flash Player 9 and succeeding versions. Desktop/metro IE, Chrome, Firefox and Safari all affected as well.
According to feedback from the Trend Micro Smart Protection Network (as detailed in this Security Intelligence Blog post), several exploit kits have been updated to include an exploit for a zero-day vulnerability that was part of the Hacking Team's leaked files. Cryptowall 3.0, a ransomware variant, has been identified as one of the payloads being spread by one of the exploit kits.
Adobe has confirmed the vulnerability (identified as CVE-2015-5119) as one that affects all versions of Flash Player in use today. Adobe is expected to release a patch for this flaw on July 8th.