Kaspersky Labs' search for the critical remote code execution zero-day vulnerability in Microsoft Silverlight, patched yesterday, began back in July. The Kaspersky researchers' curiosity was piqued by a detail leaked (and largely overlooked) in the breach at Hacking Team, researchers wrote today.
The doxing attack at Hacking Team -- the Italian surveillance company that also served as a zero-day broker to a wide array of government agencies -- shed new light on the vulnerability trade. July 10, Ars Technica published leaked e-mails exchanged between Hacking Team and independent exploit writer Vitaliy Toropov, in which they hash out an agreement to pay Toropov $45,000 for a Flash zero-day.
After such a successful business deal, Toropov suggests his contact at Hacking Team have a look at some of his other offerings, including "my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well." This raised eyebrows over at Kaspersky.
"Silverlight is an interesting conundrum," says Brian Bartholomew, senior security researcher at Kaspersky Lab.
"[Silverlight vulnerabilities] don't come across that often," says Bartholomew, but when they do, they're a concern, because they are a cross-platform threat. The vulnerability patched yesterday (CVE-2016-0034) is critical in Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac systems, as well as all supported versions of Windows client and server operating systems. Successful exploits of this particular bug grant attackers the same access permissions as the logged-in user, so it's particularly dangerous to administrators.
Yet, it appears that Hacking Team was not interested in Toropov's Silverlight bug, because there are no Silverlight exploits in the pile of leaked files; at least none have yet been revealed. Of course, Hacking Team was not the only bug broker in town. The Kaspersky researchers reasoned that Toropov might have found a buyer elsewhere.
So, they took a closer look at the bugs Toropov had freely published on the Open Source Vulnerability Database (OSVDB) to search for clues in his code.
(Don't be surprised that the same researcher will publish some vulnerabilities and sell others secretly. "It's fairly typical," says Bartholomew. "It comes down to street cred and money." Both are valuable, both are achieved in different ways, and street cred often must be established before the money comes.)
Toropov had published a Silverlight vulnerability in 2013 on OSVDB. (He couldn't have sold that one, but it confirmed his knowledge of Silverlight security.) Kaspersky researchers took a look at his code and found a couple of unique strings in it -- specifically the language and spelling he used in some error debug code, according to Bartholomew. Using that information, Kaspersky wrote several new detection rules into Kaspersky Lab security technologies, to scan for an exploit with those same unique strings.
"Lo and behold," says Bartholomew, "five months, six months later, we get a hit."
In early December, researchers discovered CVE-2016-0034 being exploited in the wild in "limited targeted attacks," says Bartholomew. Attackers were hosting websites that contained the malicious Silverlight component and using spearphishing messages to trick victims into visiting the sites, says Bartholomew. (Kaspersky is not yet sharing information about the nature of the targets receiving the spearphishing messages.)
However, the exploit doesn't necessarily need to be used on sites hosted by attackers. It could be used in malvertising or watering hole attacks on other sites.
Was it written by Toropov, and sold to another bidder, though?
Bartholomew says that although there are a "lot of signs that point to" Toropov, it is possible that another exploit writer could have based their work off of the code Toropov previously published on OSVDB. While the vulnerability seen in the wild last month also has the same fingerprint as Toropov's published exploit from 2013, Bartholomew says that fingerprints can be forged.
"We don't know specifically this was him," says Bartholomew, "but it's definitely a possibility."