A critical zero-day vulnerability can fetch a high price on the black market. Or everyone can have it for free, and criminals can pack it into a variety of exploit kits and roll it into the wild. Super-sophisticated spyware may require great skill to develop or lots of cash to buy in the criminal underground. Or, the source code could just show up on BitTorrent, and be good to go with a little customization.
This week's doxing attack and breach of Italian surveillance software company Hacking Team shows just how such things can happen -- a combination of great offense and terrible defense.
The attacker who has now taken responsibility for the Hacking Team breach hasn't revealed his methods yet, but based upon what we now know about the company's internal security, bad password practices -- not just by regular users, but by security staff -- likely has something to do with it.
Is this all preventable, or is this to be expected when vulnerabilities are commoditized, and the highest bidders are not the companies whose software needs fixing?
Milan-based Hacking Team sells highly invasive surveillance software, but only, it says, to government; specifically to governments that have kept off the U.S., E.U., U.N., NATO or ASEAN blacklists. However, the attackers revealed internal documents showing that Hacking Team had also sold its products and services to countries with histories of human rights violations, including Sudan, Egypt, Russia, and many others.
Also, the source code for the company's flagship software, Remote Control System, was breached. The company told its customers to cease use of the product until further notice.
Also revealed Monday: Hacking Team was discovering and selling software vulnerabilities and proof-of-concept exploit code. Among them was a critical Adobe Flash vulnerability (with POC) affecting all versions of Flash running in Internet Explorer, Firefox, Chrome, and Safari on Windows, Mac, and Linux. It was disclosed to Adobe by Google Project Zero and researcher Morgan Marquis-Boire, and has been dubbed CVE-2015-5119.
From vulnerability to exploit
It appears that Hacking Team did sell CVE-2015-5119, because according to Trend Micro research released today, it was used in limited attacks in Japan and Korea before the vulnerability was publicly revealed in this week's breach. Trend Micro first found exploits July 1, but they may have started in late June.
The rest of the world got access to the vulnerability Monday. Jerome Segura, senior security researcher of Malwarebytes Labs, says normally, attackers would take a few days to convert a vulnerability into an exploit.
"This one," he says, "I knew it was going to be faster."
Usually, attackers don't have clear, extensive documentation to help them develop exploits. Yet, that's precisely the sort of information Hacking Team provided to their customers, and was thus was leaked to the world.
"All the code was there, with instructions," Segura says. "Here it is on a silver platter."
By Tuesday at 3 p.m., Malwarebytes Labs saw code compromising the vulnerability in the wild, as part of the Neutrino exploit kit. Within minutes it appeared in the Angler, then the Nuclear exploit kits, too.
"Which was very strange," he says. "Almost like the bad guys were working together or they were racing each other." He doesn't believe they were actually working together, because the exploits were different.
Adobe issued an advisory Tuesday, stating that the "successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."
One of the payloads being spread by exploiting this zero-day is the CryptoWall 3.0 ransomware, according to Trend Micro. Adobe released a patch today and advises to install the patch as soon as possible.
How was Hacking Team compromised, allowing this gray-hat tradecraft to emerge? Bad passwords, possibly.
"Phineas Fisher" has come forth to take responsibility for the attack, but so far he's not sharing details.
I'll writeup how hacking team got hacked once they've had some time to fail at figuring out what happened and go out of business— Phineas Fisher (@GammaGroupPR) July 7, 2015
However, there is reason to believe bad passwords and overuse of them is partly to blame. According to data exposed in the doxing attack, the company's managing director used the password "Passw0rd" across every corporate system. And it wasn't just the non-IT staff. Among the root passwords exposed is "P4ssword." That is a popular choice for the company's senior security and systems engineer Christian Pozzi, according to reports that he uses the same username/password combination, with the weak password P4ssword for many accounts accessed via Firefox.
"The Hacking Team is composed of hackers and security engineers working for the government. They have access to highly confidential data and they likely have a target on their back," says Darren Guccione, CEO of Keeper Security. "Despite whether these passwords were currently in-use or the cause of the breach, reusing the same passwords or using weak passwords is a serious cause for concern for a team of government security experts and hackers."
Segura says that security experts need to apply the same best practices to the software they put on the market, particularly since it often runs with higher privileges than regular applications.
"We go after malware and we're good at it, but how many of our products are secure? That's a question we have to ask ourselves," he says. "Anti-virus is installed on a lot of machines. That itself is a really nice target. ... We know [attackers] don't like us. But they haven't gone yet to 'we're not going to disable you, we're going to use you.'"
0-Days for Sale
"The case where I have the most concern is the non-disclosure of the zero-day," says Fengmin Gong, founder and CSO of Cyphort. "Not disclosing it responsibly to a vendor ... I think that is a very dangerous precedent."
Gong says vendors are aware they're in competition with criminals for getting their hands on vulnerabilities first, which is why they started paying bug bounties.
Yet, when the "good guys" get into the business of selling vulnerabilities too, "It's very hard to draw that line of who to sell to," Gong says.
Even if they are ethical about choosing their customers, Gong adds that businesses like Hacking Team cannot be sure their customers will be the only ones to use those products, or if they'll give them to someone else. "That's why that whole business is a risky proposition to begin with," he says.
[Gong's colleague, Cyphort malware reverse engineer Marion Marschalek, along with Morgan Marquis-Boire who reported the Flash vulnerability to Adobe, will be presenting a session about the "peculiarities of nation-state malware research" at Black Hat next month.]
"The market for zero-day vulnerabilities is alive and well and as the Hacking Team breach has revealed is also highly profitable," says Ken Westin, senior security analyst for Tripwire. "As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully."
“Governments around the world are focusing their resources on offensive techniques, which means, ironically, they are doing many of the same things as the ‘bad guys’ -- building malware and surveillance tools similar to spyware," says Mark Kraynak, chief product officer of Imperva. "If anyone is worried about the distribution of malware information represented by this breach, they should remember the ‘bad guys’ are already using these exploits and doing so much more with them."
Gong points out that it isn't just the zero-day the Hacking Team breach gave to the bad guys; it's also the source code for the Remote Control System surveillance software -- sophisticated spyware. That, he says, will have an impact we've yet to feel. "The underground will easily adopt them."