Japanese targets also getting hit with leaked Flash zero-day exploits, and Hacking Team reportedly worked on drone-based WiFi surveillance tools.

Sara Peters, Senior Editor

July 20, 2015

2 Min Read

Turns out that in May, David Vincenzetti, CEO of Italian surveillance company Hacking Team, filed complaints against six former employees accusing them of revealing proprietary source code. Now, Milan police are investigating those same individuals for the breach and doxing attack against Hacking Team this month, and have combined the two investigations.

Security researchers have described the company's flagship software, Remote Control System (RCS), the latest version of which is called Galileo, as simply legal spyware. Researchers at Malwarebytes last week called it "basically nothing more than a Remote Access Trojan" -- and quite a sophisticated one, with rich features and a BIOS rootkit.

Although Vincenzetti assured reporters last week that only part of the RCS code had been revealed in the attack, researchers at SensePost reported Thursday that they got RCS up and running.

Leaked emails also revealed that Hacking Team created a "tactical network injector (TNI)," which is a  "piece of hardware ... designed to insert malicious code into Wi-Fi network communications, potentially acting as a malicious access point to launch exploits or man-in-the-middle attacks" that was ruggedized and transportable by drones, according to a report in Ars Technica.

The emails included discussions between employees at Hacking Team and those at Insitu, a subsidiary of Boeing that manufacturers unmanned aircraft about a potentially "integrating [a] WiFi hacking capability into an airborne system."

In addition to the RCS source code, a pile of critical vulnerabilities -- with detailed how-to documents to help Hacking Team customers exploit them -- were exposed in the breach, including several zero-days in Adobe Flash which were then wrapped into exploit kits. 

FireEye has discovered that one of the Flash vulnerabilities, CVE-2015-5122, was used to compromise two Japanese websites then launch further attacks against other Japanese targets, the company disclosed Sunday. Visitors to the compromised International Hospitality and Conference Service Association site were redirected to the compromised Cosmetech, Inc. site, where they were hit with a malicious .SWF file, which would in turn drop the SOGU (a.k.a. Kaba) malware, a backdoor commonly used by Chinese threat actors.

Researchers believe this may be a new SOGU variant -- it was using a previously unknown command-and-control server and a "modified DNS TXT record beaconing with an encoding we have not previously observed with SOGU malware, along with a non-standard header."

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights