Monthly Archives: July 2015

Jul 24 2015
Leave a comment
Security Essentials

Hacking Team – Arsenal of Cyber Weapons

hackingteam5Following my last post regarding the Hacking Team breach there are two topics that deserve their own article.First, all the information about how the zero day and exploit acquisition market works with real facts. Second, the treasure trove of zero day exploits and tools that appeared as a consequence of the leak. Let me write two paragraphs about the first and then the second will follow.

Details how the deals were done and some of the companies operating on this market have been leaked. For example the CVE-2015-0349  exploit code has been bought by the Hacking Team for 45k USD to a Russian security researcher. A great summary on how this deal was made is here and worth reading. It references all the exchanged e-mails between the company and the researcher. Another good article from Wired here.

At the moment, the best compilation about how the exploit acquisition market works was made by Vlad Tsyrklevich who wrote a great write-up summarizing all information that has been leaked. It covers the deals, vendors, exploit costs and references the original emails. Among the different  security brokers that were doing business with Hacking Team, Netragard came to public and announced the shut down of its exploit acquisition program.  On another article Vlad wrote about an exploit catalog from December 2014 that contains references to many unknown vulnerabilities. With this information a spike in hunting these unknown vulnerabilities has started by the good and the bad guys.

Now, the main topic of this article. As of this writing the arsenal of cyber weapons that Hacking Team had at their disposal:

  • Microsoft OpenType Font Driver Vulnerability (CVE-2015-2426)

Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows from Vista SP2 to Windows 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka “OpenType Font Driver Vulnerability.”

Details have been posted by Trend Micro here:

“Another zero-day vulnerability has been found by Trend Micro researchers from the Hacking Team trove of data. We reported this vulnerability to Microsoft, and it has been designated as CVE-2015-2426. It has also been patched in an unusual out-of-band patch. It could be used to carry out a Windows local privilege escalation (LPE).  By exploiting this vulnerability, attackers could infect the victims’ systems with rootkits or bootkits under unexpected system privilege without any notification. The vulnerability can allow attackers remote control over the affected system.”

The exploit was originally developed by Eugene Ching from Qavar Security. It’s also available on GitHub here.

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-078 contains a patch for it.

  • Microsoft Internet Explorer 11 jscript9.dll Use-After-Free Vulnerability (CVE-2015-2425)

This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. Details have been posted by Vectra Networks here

“The hunt for the vulnerability began when we noticed an email from an external researcher who attempted to sell a proof-of-concept exploit to Hacking Team. The email was sent on 02/06/2015 and described an exploitable use-after-free bug in Internet Explorer 11. While Hacking Team ultimately declined to buy the PoC exploit, the email gave enough information for Vectra researchers to find and analyze the vulnerability. While Hacking Team declined to purchase the PoC exploit, there is a chance the researcher went elsewhere to sell it, meaning that it may have been exploited in the wild.”

and by TrendMicro here

“Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-065: Security Update for Internet Explorer (3076321) contains a patch for it.

  • Windows Adobe Type Manager Privilege Escalation Vulnerability (CVE-2015-2387)

This vulnerability allows privilege escalation. Details about it on CERT.org

“Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. Note that exploit code for this vulnerability is publicly available, as part of the HackingTeam compromise. We have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.”

Details have been posted by Trend Micro here

” The vulnerability exists in the OpenType manager module (ATMFD.dll), which is provided by Adobe. The DLL is run in the kernel mode. An attacker can exploit the vulnerability to perform privilege escalation which can bypass the sandbox mitigation mechanism.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-077 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) contains a patch for it.

  • Adobe Flash ActionScript 3 BitmapData Use-After-Free Vulnerability (CVE-2015-5123)

Critical vulnerability (CVE-2015-5123) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by Trend Micro here.

“Another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) has surfaced from the HT leak. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited.  It affects all versions of Adobe Flash in Windows, Mac, and Linux”

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 opaqueBackground Use-After-Free Vulnerability (CVE-2015-5122)

Critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by FireEye here:

The HackingTeam leak already resulted in the public disclosure of two zero-day vulnerabilities this week. One of the vulnerabilities, CVE-2015-5119 in Adobe Flash, was quickly adopted by multiple groups and used in widespread attacks. FireEye Labs identified a PoC for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT to the issue.

Details have been posted by Trend Micro here:

“Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 18.0.0.203).”|

More details by Zscaler here. Malware Don’t Need Coffee saw them being used in the wild across 5 different exploit kits – Rig, Neutrino, Magnitude Nuclear Pack, Null Hole.

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 ByteArray Use-After-Free Vulnerability (CVE-2015-5119)

Details have been posted by Zscaler here

“CVE-2015-5119 exploit payload that we have now seen in the wild. The sample has multiple layers of obfuscation and packer routines. The malicious Flash payload is packed, XOR’ed and stored as a binary data inside a parent Flash file that dynamically unpacks a malicious Flash file and writes it to memory at run time.”

Malware Don’t Need Coffee saw the exploit being used in the wild before being patched across 7 different exploit kits.

Adobe worked to release a patch asap and the Security Advisory for Adobe Flash Player (APSA15-03) and Adobe Security Bulletin (APSB15-16) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player.

  • Adobe Flash Player Integer Overflow (CVE-2015-3087)

An integer overflow vulnerability that could lead to code execution. Adobe patched this vulnerability under the Security Advisory for Adobe Flash Player (APSP15-09).

  • Adobe Flash Player Use-After-Free Vulnerability (CVE-2015-0349)

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors

Trend Micro posted details here. “One of the Flash Player vulnerabilities found in the HT dump is believed to be CVE-2015-0349 which was patched by Adobe in April 2015”

Adobe Security Bulletin (APSB15-06) contains a patch for it.  Patched Adobe Flash version is 17.0.0.169

  • Android Fake “BeNews” App

Trend Micro posted details here:

“We analyzed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play. This is following news that iOS devices are at risk of spyware related to the Hacking Team. The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.”

  • Android Spying Tool 

Feature rich surveillance software for Android. It leverages CVE-2014-3153, CVE-2013-6282, CVE-2012-2825 and CVE-2012-2871 to perform the desired functionality.

Trend Micro posted details here

Following news that iOS devices are at risk of spyware related to the Hacking Team, the saga continues into the Android sphere. We found that among the leaked files is the code for Hacking Team’s open-source malware suite RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets. (Researchers have been aware of this suite as early as 2014.)

Collin Milliner a security researcher has posted his frustration when finding that Hacking Team reused is open source code.

  • Rootkit for UEFI BIOS

Details posted by Trend Micro here:

“The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.”

And a great write-up by Intel Advanced Threat Research here

“The leaked source code goes beyond a research proof-of-concept, revealing a commercial rootkit platform called “]HackingTeam[ UEFI Vector” and using real attacks as a part of Hacking Team’s RCS malware platform. According to the leaked code and emails, this hacking platform may have already been already sold to some HackingTeam customers. Some of the emails point to specific modes on which the persistent rootkit was tested. Both “agent” and “soldier” are the names of trojan horse applications also found in the leaks. The rootkit reinstalls these applications automatically, from infected firmware”

 

Tagged , ,
Jul 23 2015
Leave a comment
Security Essentials

Hacking Team Breach Summary

[The news on Twitter, on the media, and across the infosec community in the last days have been fascinating to due to the revelations from the Hacking Team breach. Details about how the company operates,  information about espionage and surveillance, zero days exploit catalogs, all the secrets and drama make this story ready for someone to write a book about it. Because I was on vacations while all this happened, I decided to write a short summary about it in order to catch-up. LR]

Sunday night, 5th of July, news started making the rounds about 400Gb of data stolen from the notorious Italian surveillance software company Hacking Team. With a quite epic start, the person behind the attack – someone that goes by the name Phineas Fisher – hijacked the company twitter account, changed the handler from Hacking Team to Hacked Team and posted the following message: “Since we have nothing to hide, we are publishing all our emails, files, and source code” with a torrent link to download the data.

hackingteam1

Shortly after, on the same twitter handle, print screens about the leaked data started to disseminate internal company emails, their clients and operating procedures. This continued for at least half day. Some hours later their list of clients have been posted on Pastebin revealing some questioning relationships with  countries known for human rights violations.  The company has been subject to criticism several times over the past years regarding the unethical sale of surveillance tools. CitizenLabs and Reporters Without Borders were organizations that went vocal in the past regarding their questionable practices. That known, the news were expected to have a lot of attention by the media, journalists, activists and others.

Meanwhile, as this was not enough, one of the companies employees Christian Pozzi came publicly to support the company. Unfortunately for him, his personal passwords were on the massive amount of data leaked. Worse was that the quality of the passwords were weak and moments after his initial twitter post, his twitter account got hijacked as well and his passwords posted online and twitted.

hackingteam3

Following, when people all over the world started to get their hands on the torrent file all kinds of confidential information started to arise. Sales revenue, contracts, budgets plans, agreements, emails, operating manuals, configuration files, source code, zero day exploit catalogs, and all kind of business and technical information started to be on the internet. Wikileaks indexed and made searchable all their emails.

The days after the breach have been quite revealing due to their software and capabilities – their main business is security services and tools to governments and law enforcement organizations – specially for the information security community due to the number on unknown zero day vulnerabilities exposed and their surveillance software. But, on the other hand, the criminals soon started to use the source code and exploits on spear phishing campaigns and the Neutrino and Angler exploit Kits started to leverage the Flash 0 days while Adobe and Microsoft were working on releasing patches. This topic deserves a post on its own and I will write a summary about it soon.

As expected, the company started to investigate who has been behind the breach. According to Reuters Italian prosecutors are investigating six former employees. Ars Technica also reports this here.

In the last days, Eric Rabe and David Vincenzetti, Hacking Team Chief Communications Officer and CEO respectively, have been quite brave and their twitter handler continues to post updates. On the company website there were several news released about this topic. Among other things they seem to have requested all their clients to suspend their operations and asked the Anti Virus companies to start detecting their software. hackingteam2

Phineas Fisher who claims to be the actor behind the breach used his dormant twitter account writing that he will released the details on how the company got hacked. Stay tuned!

Tagged