Vulnerabilities / Threats
1/13/2016
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Kaspersky Caught Scent Of Silverlight Zero-Day In Hacking Team Breach

Hacking Team wasn't interested in this critical, cross-platform, remote code execution bug in Silverlight, but the exploit writer may have found another buyer.

Kaspersky Labs' search for the critical remote code execution zero-day vulnerability in Microsoft Silverlight, patched yesterday, began back in July. The Kaspersky researchers' curiosity was piqued by a detail leaked (and largely overlooked) in the breach at Hacking Team, researchers wrote today.

The doxing attack at Hacking Team -- the Italian surveillance company that also served as a zero-day broker to a wide array of government agencies -- shed new light on the vulnerability trade. July 10, Ars Technica published leaked e-mails exchanged between Hacking Team and independent exploit writer Vitaliy Toropov, in which they hash out an agreement to pay Toropov $45,000 for a Flash zero-day.

After such a successful business deal, Toropov suggests his contact at Hacking Team have a look at some of his other offerings, including "my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well." This raised eyebrows over at Kaspersky.

"Silverlight is an interesting conundrum," says Brian Bartholomew, senior security researcher at Kaspersky Lab.

"[Silverlight vulnerabilities] don't come across that often," says Bartholomew, but when they do, they're a concern, because they are a cross-platform threat. The vulnerability patched yesterday (CVE-2016-0034) is critical in Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac systems, as well as all supported versions of Windows client and server operating systems. Successful exploits of this particular bug grant attackers the same access permissions as the logged-in user, so it's particularly dangerous to administrators.

Yet, it appears that Hacking Team was not interested in Toropov's Silverlight bug, because there are no Silverlight exploits in the pile of leaked files; at least none have yet been revealed. Of course, Hacking Team was not the only bug broker in town. The Kaspersky researchers reasoned that Toropov might have found a buyer elsewhere.

So, they took a closer look at the bugs Toropov had freely published on the Open Source Vulnerability Database (OSVDB) to search for clues in his code.

(Don't be surprised that the same researcher will publish some vulnerabilities and sell others secretly. "It's fairly typical," says Bartholomew. "It comes down to street cred and money." Both are valuable, both are achieved in different ways, and street cred often must be established before the money comes.)

Toropov had published a Silverlight vulnerability in 2013 on OSVDB. (He couldn't have sold that one, but it confirmed his knowledge of Silverlight security.) Kaspersky researchers took a look at his code and found a couple of unique strings in it -- specifically the language and spelling he used in some error debug code, according to Bartholomew. Using that information, Kaspersky wrote several new detection rules into Kaspersky Lab security technologies, to scan for an exploit with those same unique strings.

"Lo and behold," says Bartholomew, "five months, six months later, we get a hit."

In early December, researchers discovered CVE-2016-0034 being exploited in the wild in "limited targeted attacks," says Bartholomew. Attackers were hosting websites that contained the malicious Silverlight component and using spearphishing messages to trick victims into visiting the sites, says Bartholomew. (Kaspersky is not yet sharing information about the nature of the targets receiving the spearphishing messages.)

However, the exploit doesn't necessarily need to be used on sites hosted by attackers. It could be used in malvertising or watering hole attacks on other sites.

Was it written by Toropov, and sold to another bidder, though?

Bartholomew says that although there are a "lot of signs that point to" Toropov, it is possible that another exploit writer could have based their work off of the code Toropov previously published on OSVDB. While the vulnerability seen in the wild last month also has the same fingerprint as Toropov's published exploit from 2013, Bartholomew says that fingerprints can be forged.

"We don't know specifically this was him," says Bartholomew, "but it's definitely a possibility."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.