Following the recent hack of the popular surveillance firm Hacking Team, the experts started the analysis of the material leaked online by the attackers. The package leaked online include also a number of exploits used by the company to compromise targeted systems by exploiting flaws in Adobe Flash ad Internet Explorer applications.
The researchers discovered at least three different software exploits, two designed to hack Adobe Flash Player and one for Microsoft’s Windows kernel. In particular the “Use-after-free vulnerability”, coded as CVE-2015-0349 has already been patched.
“The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.” states the post published by Trend Micro.
The experts at the Hacking Team described the second Flash Player exploit as “the most beautiful Flash bug for the last four years,” it still has no CVE associated.
Another disconcerting discovery made by principal security firms, is the inclusion of the Adobe Flash zero-day (CVE-2015-5119) exploit with several exploit kits available in the criminal underground. The malware researchers at Trend Micro have discovered evidence of the Adobe Flash zero-day (CVE-2015-5119) exploit being used in a number of exploit kits before the vulnerability was publicly revealed in this week’s data breach on the spyware company. To avoid problems, apply urgently the patch provided by Adobe.
The attackers used the Flash zero-day exploits to cause a system crash and take full control of the infected systems. According to the researchers at Trend Micro this particular zero-day exploit was used in cyber attacks on South Korea and Japan.
“In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year. Traffic logs indicate the user may have received spear phishing emails with attached documents. These documents contained a URL for the user to visit; this URL led to a site hosted in the United States which contained a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the Hacking Team leak. We noticed that this exploit was downloaded to the user’s machine several times in a week.” wrote Trend Micro.
“We also found that other users had also visited the domain that hosted the exploit code. While many of these users were also in Korea, one of them was located in Japan. This activity started as early as June 22. We cannot confirm that they too were the subject of exploit attempts, but this is likely.”
According to the researchers, the zero-day exploit, about which the rest of the world got access on Monday, was apparently used in limited cyber attacks on South Korea and Japan. The researchers confirmed that the zero-day exploit code they analyzed was very similar to the exploit code included in the HAcking Team Package.
This circumstance suggests that the attackers had access to the hacking tools offered by the Hacking Team firm.
“We believe this attack was generated by Hacking Team’s attack package and code.” states Trend Micro.
(Security Affairs – Hacking Team, zero-day)