Vulnerabilities / Threats
1/13/2016
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Kaspersky Caught Scent Of Silverlight Zero-Day In Hacking Team Breach

Hacking Team wasn't interested in this critical, cross-platform, remote code execution bug in Silverlight, but the exploit writer may have found another buyer.

Kaspersky Labs' search for the critical remote code execution zero-day vulnerability in Microsoft Silverlight, patched yesterday, began back in July. The Kaspersky researchers' curiosity was piqued by a detail leaked (and largely overlooked) in the breach at Hacking Team, researchers wrote today.

The doxing attack at Hacking Team -- the Italian surveillance company that also served as a zero-day broker to a wide array of government agencies -- shed new light on the vulnerability trade. July 10, Ars Technica published leaked e-mails exchanged between Hacking Team and independent exploit writer Vitaliy Toropov, in which they hash out an agreement to pay Toropov $45,000 for a Flash zero-day.

After such a successful business deal, Toropov suggests his contact at Hacking Team have a look at some of his other offerings, including "my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well." This raised eyebrows over at Kaspersky.

"Silverlight is an interesting conundrum," says Brian Bartholomew, senior security researcher at Kaspersky Lab.

"[Silverlight vulnerabilities] don't come across that often," says Bartholomew, but when they do, they're a concern, because they are a cross-platform threat. The vulnerability patched yesterday (CVE-2016-0034) is critical in Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac systems, as well as all supported versions of Windows client and server operating systems. Successful exploits of this particular bug grant attackers the same access permissions as the logged-in user, so it's particularly dangerous to administrators.

Yet, it appears that Hacking Team was not interested in Toropov's Silverlight bug, because there are no Silverlight exploits in the pile of leaked files; at least none have yet been revealed. Of course, Hacking Team was not the only bug broker in town. The Kaspersky researchers reasoned that Toropov might have found a buyer elsewhere.

So, they took a closer look at the bugs Toropov had freely published on the Open Source Vulnerability Database (OSVDB) to search for clues in his code.

(Don't be surprised that the same researcher will publish some vulnerabilities and sell others secretly. "It's fairly typical," says Bartholomew. "It comes down to street cred and money." Both are valuable, both are achieved in different ways, and street cred often must be established before the money comes.)

Toropov had published a Silverlight vulnerability in 2013 on OSVDB. (He couldn't have sold that one, but it confirmed his knowledge of Silverlight security.) Kaspersky researchers took a look at his code and found a couple of unique strings in it -- specifically the language and spelling he used in some error debug code, according to Bartholomew. Using that information, Kaspersky wrote several new detection rules into Kaspersky Lab security technologies, to scan for an exploit with those same unique strings.

"Lo and behold," says Bartholomew, "five months, six months later, we get a hit."

In early December, researchers discovered CVE-2016-0034 being exploited in the wild in "limited targeted attacks," says Bartholomew. Attackers were hosting websites that contained the malicious Silverlight component and using spearphishing messages to trick victims into visiting the sites, says Bartholomew. (Kaspersky is not yet sharing information about the nature of the targets receiving the spearphishing messages.)

However, the exploit doesn't necessarily need to be used on sites hosted by attackers. It could be used in malvertising or watering hole attacks on other sites.

Was it written by Toropov, and sold to another bidder, though?

Bartholomew says that although there are a "lot of signs that point to" Toropov, it is possible that another exploit writer could have based their work off of the code Toropov previously published on OSVDB. While the vulnerability seen in the wild last month also has the same fingerprint as Toropov's published exploit from 2013, Bartholomew says that fingerprints can be forged.

"We don't know specifically this was him," says Bartholomew, "but it's definitely a possibility."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.