Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/13/2016
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Kaspersky Caught Scent Of Silverlight Zero-Day In Hacking Team Breach

Hacking Team wasn't interested in this critical, cross-platform, remote code execution bug in Silverlight, but the exploit writer may have found another buyer.

Kaspersky Labs' search for the critical remote code execution zero-day vulnerability in Microsoft Silverlight, patched yesterday, began back in July. The Kaspersky researchers' curiosity was piqued by a detail leaked (and largely overlooked) in the breach at Hacking Team, researchers wrote today.

The doxing attack at Hacking Team -- the Italian surveillance company that also served as a zero-day broker to a wide array of government agencies -- shed new light on the vulnerability trade. July 10, Ars Technica published leaked e-mails exchanged between Hacking Team and independent exploit writer Vitaliy Toropov, in which they hash out an agreement to pay Toropov $45,000 for a Flash zero-day.

After such a successful business deal, Toropov suggests his contact at Hacking Team have a look at some of his other offerings, including "my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well." This raised eyebrows over at Kaspersky.

"Silverlight is an interesting conundrum," says Brian Bartholomew, senior security researcher at Kaspersky Lab.

"[Silverlight vulnerabilities] don't come across that often," says Bartholomew, but when they do, they're a concern, because they are a cross-platform threat. The vulnerability patched yesterday (CVE-2016-0034) is critical in Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac systems, as well as all supported versions of Windows client and server operating systems. Successful exploits of this particular bug grant attackers the same access permissions as the logged-in user, so it's particularly dangerous to administrators.

Yet, it appears that Hacking Team was not interested in Toropov's Silverlight bug, because there are no Silverlight exploits in the pile of leaked files; at least none have yet been revealed. Of course, Hacking Team was not the only bug broker in town. The Kaspersky researchers reasoned that Toropov might have found a buyer elsewhere.

So, they took a closer look at the bugs Toropov had freely published on the Open Source Vulnerability Database (OSVDB) to search for clues in his code.

(Don't be surprised that the same researcher will publish some vulnerabilities and sell others secretly. "It's fairly typical," says Bartholomew. "It comes down to street cred and money." Both are valuable, both are achieved in different ways, and street cred often must be established before the money comes.)

Toropov had published a Silverlight vulnerability in 2013 on OSVDB. (He couldn't have sold that one, but it confirmed his knowledge of Silverlight security.) Kaspersky researchers took a look at his code and found a couple of unique strings in it -- specifically the language and spelling he used in some error debug code, according to Bartholomew. Using that information, Kaspersky wrote several new detection rules into Kaspersky Lab security technologies, to scan for an exploit with those same unique strings.

"Lo and behold," says Bartholomew, "five months, six months later, we get a hit."

In early December, researchers discovered CVE-2016-0034 being exploited in the wild in "limited targeted attacks," says Bartholomew. Attackers were hosting websites that contained the malicious Silverlight component and using spearphishing messages to trick victims into visiting the sites, says Bartholomew. (Kaspersky is not yet sharing information about the nature of the targets receiving the spearphishing messages.)

However, the exploit doesn't necessarily need to be used on sites hosted by attackers. It could be used in malvertising or watering hole attacks on other sites.

Was it written by Toropov, and sold to another bidder, though?

Bartholomew says that although there are a "lot of signs that point to" Toropov, it is possible that another exploit writer could have based their work off of the code Toropov previously published on OSVDB. While the vulnerability seen in the wild last month also has the same fingerprint as Toropov's published exploit from 2013, Bartholomew says that fingerprints can be forged.

"We don't know specifically this was him," says Bartholomew, "but it's definitely a possibility."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2729
PUBLISHED: 2019-06-19
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise ...
CVE-2019-3737
PUBLISHED: 2019-06-19
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.
CVE-2019-3787
PUBLISHED: 2019-06-19
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to ...
CVE-2019-12900
PUBLISHED: 2019-06-19
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVE-2019-12893
PUBLISHED: 2019-06-19
Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewer!PerfgrapFinalize+0x00000000000a8868.