Researchers find previously unknown exploits among Hacking Team's leaked files

07.07.2015
Researchers sifting through 400GB of data recently leaked from Hacking Team, an Italian company that sells computer surveillance software to government agencies from around the world, have already found an exploit for an unpatched vulnerability in Flash Player.

There are also reports of exploits for a vulnerability in Windows and one in SELinux, a Linux kernel security module that enforces access control policies. The flaws were supposedly used by the company's customers to silently deploy its software on computers belonging to surveillance targets.

Hacking Team was incorporated as HT in Milan and develops a computer surveillance program called Remote Control System (RCS), or Galileo. The system is sold to law enforcement and other government agencies from around the world, along with access to computer intrusion tools that are needed to deploy it.

News broke out that Hacking Team had its network compromised on Sunday, when the hacker released 400GB worth of data stolen from the company's servers, including email communications, source code, client lists, invoices, various server backups and more.

The company has been accused by privacy and human rights groups in the past of selling its software to governments with a poor track record for respecting human rights which then used it to spy on journalists and political activists. The newly leaked data suggests that the company's customers includes government agencies from countries like Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia and Sudan.

Most antivirus products detect Hacking Team's RCS as malware, but the company actively modifies the program to evade such detection.

The security community had a field day on Monday sifting through the 400GB data dump. They found things like weak passwords stored in text files; key generators and serial numbers for pirated commercial software; the source code for versions of RCS for Windows, Linux, Android, iOS, OS X and other platforms or internal documents explaining the company's services and prices.

More importantly, some security researchers claim to have found exploits for previously unknown and unpatched vulnerabilities -- these are known as zero-day exploits. They suspected that such exploits existed among the files because they're perfect for infecting users' computers with RCS and because the company's documentation suggested so.

For example, one document contains details about a service that Hacking Team calls the RCS Exploit Portal.

"HackingTeam combined its expertise in offensive security and software design to build a service that make simple to prepare and use exploits as installation vectors for RCS agents," the document reads.

According to the document, the service contains social engineering exploits, public exploits, private exploits and zero-day exploits and the company notes that the Exploit Portal always contains at least three zero-day level exploits.

One of the confirmed zero-day exploits found in the data dump affects Flash Player and can be used to infect computers when their users visit websites in Internet Explorer.

Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, tested the exploit and confirmed that it works reliably against the latest version of Flash Player running under Internet Explorer 11 on Windows 7 32-bit.

"We have not been able to get it to run on a fully patched Win 8.1 Pro with Flash installed, but it may just require some tweaking to get around additional protection mechanisms," Eiram said via email.

Adobe is aware of the reported exploit and expects to release an update for Flash Player Wednesday, an Adobe representative said via email.

There were also reports on Twitter from other security researchers about a zero-day exploit in win32k.sys, a Windows component, being found in the Hacking Team data.

Researchers from antivirus firm Trend Micro said in a blog post that the leaked Hacking Team files contain two exploits for Flash Player, one of which is already known and has been patched, and one for the Windows kernel.

Eiram's team is also looking at a potentially new Windows privilege escalation exploit that might be the same one mentioned in the other reports, but he couldn't comment beyond that because the issue hasn't been fully investigated or confirmed.

"We believe the overall risk for customers is limited, as this vulnerability could not, on its own, allow an adversary to take control of a machine," a Microsoft representative said via email. "We encourage customers to apply the Adobe update and are working on a fix to address this problem."

Other users reported on Twitter and Reddit that Hacking Team's data also contains an exploit for bypassing the SELinux enforcements, but that has yet to be confirmed as well.

The Hacking Team data leak and revelations come amid proposed changes to an international arms control pact called the Wassenaar Arrangement, that would restrict the export of exploits and other computer intrusion software.

Lucian Constantin

Zur Startseite