Hacking Team – Arsenal of Cyber Weapons

hackingteam5Following my last post regarding the Hacking Team breach there are two topics that deserve their own article.First, all the information about how the zero day and exploit acquisition market works with real facts. Second, the treasure trove of zero day exploits and tools that appeared as a consequence of the leak. Let me write two paragraphs about the first and then the second will follow.

Details how the deals were done and some of the companies operating on this market have been leaked. For example the CVE-2015-0349  exploit code has been bought by the Hacking Team for 45k USD to a Russian security researcher. A great summary on how this deal was made is here and worth reading. It references all the exchanged e-mails between the company and the researcher. Another good article from Wired here.

At the moment, the best compilation about how the exploit acquisition market works was made by Vlad Tsyrklevich who wrote a great write-up summarizing all information that has been leaked. It covers the deals, vendors, exploit costs and references the original emails. Among the different  security brokers that were doing business with Hacking Team, Netragard came to public and announced the shut down of its exploit acquisition program.  On another article Vlad wrote about an exploit catalog from December 2014 that contains references to many unknown vulnerabilities. With this information a spike in hunting these unknown vulnerabilities has started by the good and the bad guys.

Now, the main topic of this article. As of this writing the arsenal of cyber weapons that Hacking Team had at their disposal:

  • Microsoft OpenType Font Driver Vulnerability (CVE-2015-2426)

Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows from Vista SP2 to Windows 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka “OpenType Font Driver Vulnerability.”

Details have been posted by Trend Micro here:

“Another zero-day vulnerability has been found by Trend Micro researchers from the Hacking Team trove of data. We reported this vulnerability to Microsoft, and it has been designated as CVE-2015-2426. It has also been patched in an unusual out-of-band patch. It could be used to carry out a Windows local privilege escalation (LPE).  By exploiting this vulnerability, attackers could infect the victims’ systems with rootkits or bootkits under unexpected system privilege without any notification. The vulnerability can allow attackers remote control over the affected system.”

The exploit was originally developed by Eugene Ching from Qavar Security. It’s also available on GitHub here.

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-078 contains a patch for it.

  • Microsoft Internet Explorer 11 jscript9.dll Use-After-Free Vulnerability (CVE-2015-2425)

This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. Details have been posted by Vectra Networks here

“The hunt for the vulnerability began when we noticed an email from an external researcher who attempted to sell a proof-of-concept exploit to Hacking Team. The email was sent on 02/06/2015 and described an exploitable use-after-free bug in Internet Explorer 11. While Hacking Team ultimately declined to buy the PoC exploit, the email gave enough information for Vectra researchers to find and analyze the vulnerability. While Hacking Team declined to purchase the PoC exploit, there is a chance the researcher went elsewhere to sell it, meaning that it may have been exploited in the wild.”

and by TrendMicro here

“Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-065: Security Update for Internet Explorer (3076321) contains a patch for it.

  • Windows Adobe Type Manager Privilege Escalation Vulnerability (CVE-2015-2387)

This vulnerability allows privilege escalation. Details about it on CERT.org

“Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. Note that exploit code for this vulnerability is publicly available, as part of the HackingTeam compromise. We have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.”

Details have been posted by Trend Micro here

” The vulnerability exists in the OpenType manager module (ATMFD.dll), which is provided by Adobe. The DLL is run in the kernel mode. An attacker can exploit the vulnerability to perform privilege escalation which can bypass the sandbox mitigation mechanism.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-077 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) contains a patch for it.

  • Adobe Flash ActionScript 3 BitmapData Use-After-Free Vulnerability (CVE-2015-5123)

Critical vulnerability (CVE-2015-5123) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by Trend Micro here.

“Another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) has surfaced from the HT leak. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited.  It affects all versions of Adobe Flash in Windows, Mac, and Linux”

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 opaqueBackground Use-After-Free Vulnerability (CVE-2015-5122)

Critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by FireEye here:

The HackingTeam leak already resulted in the public disclosure of two zero-day vulnerabilities this week. One of the vulnerabilities, CVE-2015-5119 in Adobe Flash, was quickly adopted by multiple groups and used in widespread attacks. FireEye Labs identified a PoC for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT to the issue.

Details have been posted by Trend Micro here:

“Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 18.0.0.203).”|

More details by Zscaler here. Malware Don’t Need Coffee saw them being used in the wild across 5 different exploit kits – Rig, Neutrino, Magnitude Nuclear Pack, Null Hole.

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 ByteArray Use-After-Free Vulnerability (CVE-2015-5119)

Details have been posted by Zscaler here

“CVE-2015-5119 exploit payload that we have now seen in the wild. The sample has multiple layers of obfuscation and packer routines. The malicious Flash payload is packed, XOR’ed and stored as a binary data inside a parent Flash file that dynamically unpacks a malicious Flash file and writes it to memory at run time.”

Malware Don’t Need Coffee saw the exploit being used in the wild before being patched across 7 different exploit kits.

Adobe worked to release a patch asap and the Security Advisory for Adobe Flash Player (APSA15-03) and Adobe Security Bulletin (APSB15-16) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player.

  • Adobe Flash Player Integer Overflow (CVE-2015-3087)

An integer overflow vulnerability that could lead to code execution. Adobe patched this vulnerability under the Security Advisory for Adobe Flash Player (APSP15-09).

  • Adobe Flash Player Use-After-Free Vulnerability (CVE-2015-0349)

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors

Trend Micro posted details here. “One of the Flash Player vulnerabilities found in the HT dump is believed to be CVE-2015-0349 which was patched by Adobe in April 2015”

Adobe Security Bulletin (APSB15-06) contains a patch for it.  Patched Adobe Flash version is 17.0.0.169

  • Android Fake “BeNews” App

Trend Micro posted details here:

“We analyzed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play. This is following news that iOS devices are at risk of spyware related to the Hacking Team. The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.”

  • Android Spying Tool 

Feature rich surveillance software for Android. It leverages CVE-2014-3153, CVE-2013-6282, CVE-2012-2825 and CVE-2012-2871 to perform the desired functionality.

Trend Micro posted details here

Following news that iOS devices are at risk of spyware related to the Hacking Team, the saga continues into the Android sphere. We found that among the leaked files is the code for Hacking Team’s open-source malware suite RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets. (Researchers have been aware of this suite as early as 2014.)

Collin Milliner a security researcher has posted his frustration when finding that Hacking Team reused is open source code.

  • Rootkit for UEFI BIOS

Details posted by Trend Micro here:

“The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.”

And a great write-up by Intel Advanced Threat Research here

“The leaked source code goes beyond a research proof-of-concept, revealing a commercial rootkit platform called “]HackingTeam[ UEFI Vector” and using real attacks as a part of Hacking Team’s RCS malware platform. According to the leaked code and emails, this hacking platform may have already been already sold to some HackingTeam customers. Some of the emails point to specific modes on which the persistent rootkit was tested. Both “agent” and “soldier” are the names of trojan horse applications also found in the leaks. The rootkit reinstalls these applications automatically, from infected firmware”

 

Advertisements
Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab's Blog

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)

malwology

Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.

TaoSecurity

Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills.

Technicalinfo.net Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation

%d bloggers like this: