Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

04:55 PM
Connect Directly

6 Ex-Employees Questioned About Hacking Team Breach, Prior Leak

Japanese targets also getting hit with leaked Flash zero-day exploits, and Hacking Team reportedly worked on drone-based WiFi surveillance tools.

Turns out that in May, David Vincenzetti, CEO of Italian surveillance company Hacking Team, filed complaints against six former employees accusing them of revealing proprietary source code. Now, Milan police are investigating those same individuals for the breach and doxing attack against Hacking Team this month, and have combined the two investigations.

Security researchers have described the company's flagship software, Remote Control System (RCS), the latest version of which is called Galileo, as simply legal spyware. Researchers at Malwarebytes last week called it "basically nothing more than a Remote Access Trojan" -- and quite a sophisticated one, with rich features and a BIOS rootkit.

Although Vincenzetti assured reporters last week that only part of the RCS code had been revealed in the attack, researchers at SensePost reported Thursday that they got RCS up and running.

Leaked emails also revealed that Hacking Team created a "tactical network injector (TNI)," which is a  "piece of hardware ... designed to insert malicious code into Wi-Fi network communications, potentially acting as a malicious access point to launch exploits or man-in-the-middle attacks" that was ruggedized and transportable by drones, according to a report in Ars Technica.

The emails included discussions between employees at Hacking Team and those at Insitu, a subsidiary of Boeing that manufacturers unmanned aircraft about a potentially "integrating [a] WiFi hacking capability into an airborne system."

In addition to the RCS source code, a pile of critical vulnerabilities -- with detailed how-to documents to help Hacking Team customers exploit them -- were exposed in the breach, including several zero-days in Adobe Flash which were then wrapped into exploit kits. 

FireEye has discovered that one of the Flash vulnerabilities, CVE-2015-5122, was used to compromise two Japanese websites then launch further attacks against other Japanese targets, the company disclosed Sunday. Visitors to the compromised International Hospitality and Conference Service Association site were redirected to the compromised Cosmetech, Inc. site, where they were hit with a malicious .SWF file, which would in turn drop the SOGU (a.k.a. Kaba) malware, a backdoor commonly used by Chinese threat actors.

Researchers believe this may be a new SOGU variant -- it was using a previously unknown command-and-control server and a "modified DNS TXT record beaconing with an encoding we have not previously observed with SOGU malware, along with a non-standard header."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.