Attacks/Breaches

7/8/2015
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hacking Team 0-Day Shows Widespread Dangers Of All Offense, No Defense

While the Italian surveillance company sells government agencies high-end zero-day proof-of-concept exploits, it secures root systems with the password 'P4ssword.' What's vulnerability commoditization got to do with it?

A critical zero-day vulnerability can fetch a high price on the black market. Or everyone can have it for free, and criminals can pack it into a variety of exploit kits and roll it into the wild. Super-sophisticated spyware may require great skill to develop or lots of cash to buy in the criminal underground. Or, the source code could just show up on BitTorrent, and be good to go with a little customization.

This week's doxing attack and breach of Italian surveillance software company Hacking Team shows just how such things can happen -- a combination of great offense and terrible defense.

The attacker who has now taken responsibility for the Hacking Team breach hasn't revealed his methods yet, but based upon what we now know about the company's internal security, bad password practices -- not just by regular users, but by security staff -- likely has something to do with it.

Is this all preventable, or is this to be expected when vulnerabilities are commoditized, and the highest bidders are not the companies whose software needs fixing?

 

The breach

Milan-based Hacking Team sells highly invasive surveillance software, but only, it says, to government; specifically to governments that have kept off the U.S., E.U., U.N., NATO or ASEAN blacklists. However, the attackers revealed internal documents showing that Hacking Team had also sold its products and services to countries with histories of human rights violations, including Sudan, Egypt, Russia, and many others. 

Also, the source code for the company's flagship software, Remote Control System, was breached. The company told its customers to cease use of the product until further notice.

Also revealed Monday: Hacking Team was discovering and selling software vulnerabilities and proof-of-concept exploit code. Among them was a critical Adobe Flash vulnerability (with POC) affecting all versions of Flash running in Internet Explorer, Firefox, Chrome, and Safari on Windows, Mac, and Linux. It was disclosed to Adobe by Google Project Zero and researcher Morgan Marquis-Boire, and has been dubbed CVE-2015-5119.

 

From vulnerability to exploit

It appears that Hacking Team did sell CVE-2015-5119, because according to Trend Micro research released today, it was used in limited attacks in Japan and Korea before the vulnerability was publicly revealed in this week's breach. Trend Micro first found exploits July 1, but they may have started in late June.

The rest of the world got access to the vulnerability Monday. Jerome Segura, senior security researcher of Malwarebytes Labs, says normally, attackers would take a few days to convert a vulnerability into an exploit.

"This one," he says, "I knew it was going to be faster."

Usually, attackers don't have clear, extensive documentation to help them develop exploits. Yet, that's precisely the sort of information Hacking Team provided to their customers, and was thus was leaked to the world. 

"All the code was there, with instructions," Segura says. "Here it is on a silver platter."

By Tuesday at 3 p.m., Malwarebytes Labs saw code compromising the vulnerability in the wild, as part of the Neutrino exploit kit. Within minutes it appeared in the Angler, then the Nuclear exploit kits, too.

"Which was very strange," he says. "Almost like the bad guys were working together or they were racing each other." He doesn't believe they were actually working together, because the exploits were different.

Adobe issued an advisory Tuesday, stating that the "successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system." 

One of the payloads being spread by exploiting this zero-day is the CryptoWall 3.0 ransomware, according to Trend MicroAdobe released a patch today and advises to install the patch as soon as possible.

Bad defense

How was Hacking Team compromised, allowing this gray-hat tradecraft to emerge? Bad passwords, possibly.

"Phineas Fisher" has come forth to take responsibility for the attack, but so far he's not sharing details.

However, there is reason to believe bad passwords and overuse of them is partly to blame. According to data exposed in the doxing attack, the company's managing director used the password "Passw0rd" across every corporate system. And it wasn't just the non-IT staff. Among the root passwords exposed is "P4ssword." That is a popular choice for the company's senior security and systems engineer Christian Pozzi, according to reports that he uses the same username/password combination, with the weak password P4ssword for many accounts accessed via Firefox.    

"The Hacking Team is composed of hackers and security engineers working for the government. They have access to highly confidential data and they likely have a target on their back," says Darren Guccione, CEO of Keeper Security. "Despite whether these passwords were currently in-use or the cause of the breach, reusing the same passwords or using weak passwords is a serious cause for concern for a team of government security experts and hackers."

Segura says that security experts need to apply the same best practices to the software they put on the market, particularly since it often runs with higher privileges than regular applications.

"We go after malware and we're good at it, but how many of our products are secure? That's a question we have to ask ourselves," he says. "Anti-virus is installed on a lot of machines. That itself is a really nice target. ... We know [attackers] don't like us. But they haven't gone yet to 'we're not going to disable you, we're going to use you.'"

0-Days for Sale

"The case where I have the most concern is the non-disclosure of the zero-day," says Fengmin Gong, founder and CSO of Cyphort. "Not disclosing it responsibly to a vendor ... I think that is a very dangerous precedent."

Gong says vendors are aware they're in competition with criminals for getting their hands on vulnerabilities first, which is why they started paying bug bounties.

Yet, when the "good guys" get into the business of selling vulnerabilities too, "It's very hard to draw that line of who to sell to," Gong says.

Even if they are ethical about choosing their customers, Gong adds that businesses like Hacking Team cannot be sure their customers will be the only ones to use those products, or if they'll give them to someone else. "That's why that whole business is a risky proposition to begin with," he says.

[Gong's colleague, Cyphort malware reverse engineer Marion Marschalek, along with Morgan Marquis-Boire who reported the Flash vulnerability to Adobe, will be presenting a session about the "peculiarities of nation-state malware research" at Black Hat next month.]

"The market for zero-day vulnerabilities is alive and well and as the Hacking Team breach has revealed is also highly profitable," says Ken Westin, senior security analyst for Tripwire. "As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully."

“Governments around the world are focusing their resources on offensive techniques, which means, ironically, they are doing many of the same things as the ‘bad guys’ -- building malware and surveillance tools similar to spyware," says Mark Kraynak, chief product officer of Imperva. "If anyone is worried about the distribution of malware information represented by this breach, they should remember the ‘bad guys’ are already using these exploits and doing so much more with them."

Gong points out that it isn't just the zero-day the Hacking Team breach gave to the bad guys; it's also the source code for the Remote Control System surveillance software -- sophisticated spyware. That, he says, will have an impact we've yet to feel. "The underground will easily adopt them."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.