Silverlight exploit discovered by analyzing Hacking Team leaked emails

Pierluigi Paganini January 14, 2016

Microsoft patched a Silverlight zero-day discovered by analyzing internal emails stolen to Hacking Team about Silverlight exploit.

Microsoft recently fixed a number of vulnerabilities with the MS16-006 critical bulletin, including a Silverlight flaw CVE-2016-0034 that could be exploited for remote code execution.

The Silverlight flaw discovered by the experts at Kaspersky Lab as a result of an investigation on the Hacking Team arsenal disclosed in July 2015.

According to Microsoft, the remote code execution vulnerability can be exploited by an attacker that set up a website to host a specially crafted Silverlight application.

When Microsoft users will visit the bogus website, the exploit will allow an attacker to obtain the same permissions as the victim. The story of how Kaspersky Lab discovered the Silverlight zero-day starts in July 2015, shortly after a

After the data breach, the hackers leaked the stolen material, including 400GB containing emails, invoices, contracts and source code of the hacking tools used by the Italian firm.

Hacking Team byNumbers Silverlight exploit

The experts at Ars Technica who analyzed the leaked emails noticed communications between a Russian develper named Vitaliy Toropov and the staff at the Hacking Team.

The man sold an Adobe Flash Player exploit to the Hacking Team for $45,000 in 2013 and also offered a Silverlight exploit.

“Now your discount on the next buy is -5k and -10k is for a third bug. I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further
in next years as well. ” Toropov wrote to Hacking Team member Giancarlo Russo.

Experts at Kaspersky started analyzing Toropov’s exploits, including a Silverlight Microsoft Silverlight Invalid Typecast / Memory Disclosure that was dated back 2013 and that he had published.

The experts at Kaspersky designed a YARA rule to detect the exploit in the wild, and on November 25th, they detected the Toropov’s exploit on a user’s machine. Later another sample of the exploit was uploaded from Laos to a multiscanner service.

“After implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it? Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015.” Kaspersky researchers wrote in a blog post. “On November 25th, one of our generic detections for Toropov’s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos).”

The analysis of the exploit revealed that the exploit was compiled on July 21, 2015, after the Hacking Team data was leaked online. Kaspersky immediately reported the existence of the exploit to Microsoft.

It’s unclear if this Silverlight exploit is the same offered by Toropov in 2013,

“One of the biggest questions we have is whether this is Vitaliy Toropov’s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one? Several things make us think it’s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one.” wrote Kaspersky researchers.

Pierluigi Paganini

(Security Affairs – Silverlight exploit, Hacking Team)

you might also like

leave a comment