Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

04:55 PM
Connect Directly

6 Ex-Employees Questioned About Hacking Team Breach, Prior Leak

Japanese targets also getting hit with leaked Flash zero-day exploits, and Hacking Team reportedly worked on drone-based WiFi surveillance tools.

Turns out that in May, David Vincenzetti, CEO of Italian surveillance company Hacking Team, filed complaints against six former employees accusing them of revealing proprietary source code. Now, Milan police are investigating those same individuals for the breach and doxing attack against Hacking Team this month, and have combined the two investigations.

Security researchers have described the company's flagship software, Remote Control System (RCS), the latest version of which is called Galileo, as simply legal spyware. Researchers at Malwarebytes last week called it "basically nothing more than a Remote Access Trojan" -- and quite a sophisticated one, with rich features and a BIOS rootkit.

Although Vincenzetti assured reporters last week that only part of the RCS code had been revealed in the attack, researchers at SensePost reported Thursday that they got RCS up and running.

Leaked emails also revealed that Hacking Team created a "tactical network injector (TNI)," which is a  "piece of hardware ... designed to insert malicious code into Wi-Fi network communications, potentially acting as a malicious access point to launch exploits or man-in-the-middle attacks" that was ruggedized and transportable by drones, according to a report in Ars Technica.

The emails included discussions between employees at Hacking Team and those at Insitu, a subsidiary of Boeing that manufacturers unmanned aircraft about a potentially "integrating [a] WiFi hacking capability into an airborne system."

In addition to the RCS source code, a pile of critical vulnerabilities -- with detailed how-to documents to help Hacking Team customers exploit them -- were exposed in the breach, including several zero-days in Adobe Flash which were then wrapped into exploit kits. 

FireEye has discovered that one of the Flash vulnerabilities, CVE-2015-5122, was used to compromise two Japanese websites then launch further attacks against other Japanese targets, the company disclosed Sunday. Visitors to the compromised International Hospitality and Conference Service Association site were redirected to the compromised Cosmetech, Inc. site, where they were hit with a malicious .SWF file, which would in turn drop the SOGU (a.k.a. Kaba) malware, a backdoor commonly used by Chinese threat actors.

Researchers believe this may be a new SOGU variant -- it was using a previously unknown command-and-control server and a "modified DNS TXT record beaconing with an encoding we have not previously observed with SOGU malware, along with a non-standard header."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.