The recent hack of the Hacking Team firm has caused the exposure of 400GB of corporate data which includes source code (GitHub repository), emails and other sensitive documents belonging to the surveillance software firm. According to security experts at Trend Micro, the stolen data also include an exploit for a zero-day vulnerability in Flash Player.
The Hacking Team has always denied doing business with oppressive countries, but the leaked documents contradict the company.
The leak also included the hacking tools and several exploits targeting Adobe Flash Player and Windows. The researchers discovered at least three different software exploits, two designed to hack Adobe Flash Player and one for Microsoft’s Windows kernel. In particular the “Use-after-free vulnerability”, coded as CVE-2015-0349 has already been patched.
“The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.” states the post published by Trend Micro.
The experts at the Hacking Team described the second Flash Player exploit as “the most beautiful Flash bug for the last four years,” it still has no CVE associated.
The existence of the zero-day vulnerability in Adobe Flash player has been confirmed also by researchers at Symantec, who confirmed that it could allow hackers to remotely execute code on a targeted computer and gain full control of it.
“Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash which could allow attackers to remotely execute code on a targeted computer. Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued.” states Symantec.
“Details of the vulnerability surfaced following a cyberattack against the controversial Italian hackers-for-hire firm Hacking Team. Proof-of-concept code for exploit of the vulnerability was part of a large cache of internal information leaked by the attackers. Given the source of the proof-of-concept code, it is possible that this vulnerability has already been exploited in the wild.”
The stolen data includes a Flash zero-day proof-of-concept (POC) exploit code that successfully works with the latest version of Adobe Flash (version 220.127.116.11) with Internet Explorer.
The flaw affects the major browsers, including Internet Explorer, Safari, FireFox and Chrome.
Symantec speculates that threat actors in the wild will add the exploit into their crimeware kits with a consequent increase in the number of cyber attacks.
In order to mitigate the risks of cyber attacks, users can temporarily disable the Adobe Flash Player in their browser until the availability of fix for the zero-day flaw.
(Security Affairs – Hacking Team, zero-day)