Vulnerabilities / Threats

1/13/2016
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Kaspersky Caught Scent Of Silverlight Zero-Day In Hacking Team Breach

Hacking Team wasn't interested in this critical, cross-platform, remote code execution bug in Silverlight, but the exploit writer may have found another buyer.

Kaspersky Labs' search for the critical remote code execution zero-day vulnerability in Microsoft Silverlight, patched yesterday, began back in July. The Kaspersky researchers' curiosity was piqued by a detail leaked (and largely overlooked) in the breach at Hacking Team, researchers wrote today.

The doxing attack at Hacking Team -- the Italian surveillance company that also served as a zero-day broker to a wide array of government agencies -- shed new light on the vulnerability trade. July 10, Ars Technica published leaked e-mails exchanged between Hacking Team and independent exploit writer Vitaliy Toropov, in which they hash out an agreement to pay Toropov $45,000 for a Flash zero-day.

After such a successful business deal, Toropov suggests his contact at Hacking Team have a look at some of his other offerings, including "my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well." This raised eyebrows over at Kaspersky.

"Silverlight is an interesting conundrum," says Brian Bartholomew, senior security researcher at Kaspersky Lab.

"[Silverlight vulnerabilities] don't come across that often," says Bartholomew, but when they do, they're a concern, because they are a cross-platform threat. The vulnerability patched yesterday (CVE-2016-0034) is critical in Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac systems, as well as all supported versions of Windows client and server operating systems. Successful exploits of this particular bug grant attackers the same access permissions as the logged-in user, so it's particularly dangerous to administrators.

Yet, it appears that Hacking Team was not interested in Toropov's Silverlight bug, because there are no Silverlight exploits in the pile of leaked files; at least none have yet been revealed. Of course, Hacking Team was not the only bug broker in town. The Kaspersky researchers reasoned that Toropov might have found a buyer elsewhere.

So, they took a closer look at the bugs Toropov had freely published on the Open Source Vulnerability Database (OSVDB) to search for clues in his code.

(Don't be surprised that the same researcher will publish some vulnerabilities and sell others secretly. "It's fairly typical," says Bartholomew. "It comes down to street cred and money." Both are valuable, both are achieved in different ways, and street cred often must be established before the money comes.)

Toropov had published a Silverlight vulnerability in 2013 on OSVDB. (He couldn't have sold that one, but it confirmed his knowledge of Silverlight security.) Kaspersky researchers took a look at his code and found a couple of unique strings in it -- specifically the language and spelling he used in some error debug code, according to Bartholomew. Using that information, Kaspersky wrote several new detection rules into Kaspersky Lab security technologies, to scan for an exploit with those same unique strings.

"Lo and behold," says Bartholomew, "five months, six months later, we get a hit."

In early December, researchers discovered CVE-2016-0034 being exploited in the wild in "limited targeted attacks," says Bartholomew. Attackers were hosting websites that contained the malicious Silverlight component and using spearphishing messages to trick victims into visiting the sites, says Bartholomew. (Kaspersky is not yet sharing information about the nature of the targets receiving the spearphishing messages.)

However, the exploit doesn't necessarily need to be used on sites hosted by attackers. It could be used in malvertising or watering hole attacks on other sites.

Was it written by Toropov, and sold to another bidder, though?

Bartholomew says that although there are a "lot of signs that point to" Toropov, it is possible that another exploit writer could have based their work off of the code Toropov previously published on OSVDB. While the vulnerability seen in the wild last month also has the same fingerprint as Toropov's published exploit from 2013, Bartholomew says that fingerprints can be forged.

"We don't know specifically this was him," says Bartholomew, "but it's definitely a possibility."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.
CVE-2019-9965
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlReAllocateHeap.
CVE-2019-9966
PUBLISHED: 2019-03-24
XnView Classic 2.48 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to xnview+0x38536c.