In this article we will learn about what happens When Hackers Become Targets.
The hacking team hack:
On July 6, 2015, unknown hackers published online source code, internal emails, and sensitive data stolen from the systems of the Italian surveillance firm Hacking Team.
The Italian company has long been discussed for the hacking solutions and services it offers to governments around the world. Many experts and privacy advocates say the company has sold products to dictatorial regimes in the past, including Lebanon, Oman, Saudi Arabia and Sudan. For this reason, hacktivists from Reporters Without Borders called the company an enemy of the Internet.
The stolen data was uploaded to BitTorrent; includes a huge number of directories containing the source code of the exploits used by the company for its surveillance software, emails, contracts, invoices and audio recordings.
Software solutions sold by Hacking Team include the RCS remote control system, also known as Galileo, and the Da Vinci backdoor. While the source code was being leaked online, the hackers also took over Hacking Team’s social media account, which they used to spread news of the hack and the availability of the material online.
Curiously, one of the emails shared by the hackers refers to a conversation by the CEO of the hacking team, David Vincenzetti, who shares news regarding the hacking of their competitor FinFisher, another powerful tracking software developed by Gamma Group.
Internal emails show Hacking Team doing business with repressive governments.
Experts analyzing the stolen data are starting to share news about the documents they contain, such as:
A €58,000 invoice to Egypt for Hacking Team’s RCS Exploit Portal. (Source Csoonline)
An email from a person linked to several domains allegedly linked to the Meles Zenawi Foundation (MZF), the Prime Minister of Ethiopia. In an email, Biniam Tewolde thanks Hacking Team for its services. Ethiopia appears to have paid $1,000,000 Birr (ETB) for Hacking Team’s remote control system, professional services and communication equipment.
The €480,000 invoice shows that Hacking Team traded with Sudan using surveillance software to monitor and suppress dissidents.
Documents shared by SynAckPwn with Salted Hash related to the maintenance contract status of a number of customers including Russia and Sudan as Hacking Team clients. They are marked as “Unofficially Supported”.
According to internal documents leaked by the hackers, Hacking Team did business with organizations and governments in the following locations:
Egypt, Ethiopia, Morocco, Nigeria, Sudan, Chile, Colombia, Ecuador, Honduras, Mexico, Panama, United States of America, Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand, Uzbekistan, Vietnam, Australia, Cyprus, Czech Republic of Germany, Hungary, Italy, Luxembourg, Poland, Russia, Spain, Switzerland, Bahrain, Oman, Saudi Arabia, United Arab Emirates.
The post incident was embarrassing for the company, which, in an effort to limit the spread of its code, spread the word that the leaked material available online was infected.
Hacking Team representative Christian Pozzi claimed that the leak of sensitive internal material contained a virus and urged people to avoid downloading it.
Pozzi, of course, denied that Hacking Team had instead ever sold surveillance malware to “bad states”; he described its products as “bespoke software solutions”.
“No, the torrent contains all your viruses that you sell and that will be patched,” said John Adams, a former Twitter security official.
News portal MotherBoard, citing a person close to the company who spoke on condition of anonymity, revealed that Hacking Team has asked all its customers to cease all operations and not use its spyware.
“They’re in full emergency mode,” a MotherBoard source with inside knowledge of Hacking Team’s operations reported. “Hacking Team notified all of its customers in an ‘explosive email’ on Monday morning, asking them to end all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company has also been without access to its email system since Monday afternoon, MotherBoard said.
One of the internal documents leaked by the hackers revealed the existence of a “crisis procedure” to be activated in case of serious incidents. The process includes a remote kill switch for the company’s platform and spyware, which means the company has the ability to pause its backdoor or disable it remotely.
The situation is becoming more dramatic for the company by the hour, another embarrassing thing related to the hack is that every copy of Hacking Team’s Galileo software is watermarked; this means hackers who have stolen data can link each instance of malware to a specific account and customer.
“By accessing this data, it is possible to link certain back doors to a specific customer. “There also appears to be a backdoor in the way the anonymizing proxies are managed that allows Hacking Team to turn them off independently of the customer and get the final IP address they need to contact,” a source told Motherboard.
Hacking Team Arsenal
Hacking Team’s hack exposed 400 GB of company data, including exploit source codes (GitHub repository). Experts who analyzed the dump of data published on the Internet discovered a number of zero-day exploits targeting common applications such as Adobe Flash, Internet Explorer and the Android OS. Access to a number of zero-day exploits allowed the company to target large numbers of users without warning.
A first look at the stolen package allowed Trend Micro experts to discover at least three different software exploits, two designed to hack Adobe Flash Player and one for Microsoft’s Windows kernel.
“The dump contains at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched,” said a post published by Trend Micro.
Hacking Team experts described the second Flash Player exploit as “the most beautiful Flash bug in the last four years”, the bug was identified as CVE-2015-5119 upon discovery.
“One of the Flash exploits is described by Hacking Team as ‘the most beautiful Flash bug in four years.'” This Flash exploit has not yet been assigned a CVE number, the post continues.
Proof-of-concept code for exploiting this vulnerability was also included in the cache of internal information leaked by the attackers; that is, given the proof-of-concept code source, it could be exploited in the wild by threat actors worldwide.
The Flash zero-day proof-of-concept (POC) exploit worked successfully with the latest version of Adobe Flash (version 220.127.116.11) with Internet Explorer. The bug affects major browsers, including Internet Explorer, Safari, FireFox and Chrome.
As expected, experts also discovered a memory corruption bug (CVE-2015-2387) in the Adobe Type Manager font driver (ATMFD.DLL). Exploitation of the flaw allows attackers to take complete control over vulnerable systems. According to Microsoft, the vulnerability was exploited in limited, targeted attacks.
As the days passed, experts from several security firms discovered new exploits in Hacking Team’s arsenal.
One of the zero-day vulnerabilities is the Jscript9 Memory Corruption Vulnerability (CVE-2015-2419) identified by researchers at Vectra Networks. The flaw affects Internet Explorer 11 and can be exploited to gain complete control over a vulnerable system.
Analysis of the archive revealed new surprises; Adobe would like to thank Dhanesh Kizhakkinan of FireEye for reporting CVE-2015-5122 and Peter Pi of TrendMicro for reporting CVE-2015-5123 and working with Adobe to protect our customers.
CVE-2015-5123 has a similar PoC to the one released immediately before (CVE-2015-5122), but has not yet been added to the arsenal of any active exploit kits. This new zero-day affects Adobe Flash Player up to version 18.104.22.168.
Unlike previously reported zero-day exploits, Flash includes a BitmapData object and not a TextLine and ByteArray.
The vulnerability can be triggered using the following steps:
From the new BitmapData object, prepare two Array objects, two new MyClass objects, and assign a MyClass object to each Array object.
Once the valueOf function of MyClass is overridden, it calls BitmapData.paletteMap with two Arrayobjects as parameters. BitmapData.paletteMap executes the valueOf function.
In the valueOf function, it calls BitmapData.dispose() to dispose of the underlying memory of the BitmapDataobject, causing Flash Player to crash.
Trend Micro experts are monitoring the proof-of-concept (POC) for any active attacks that could exploit this vulnerability.
Experts who saw the proof-of-concept (PoC) code predicted that the situation could escalate rapidly in the next few days. This new zero-day affects Adobe Flash Player up to version 22.214.171.124
A Metasploit module has already been created that exploits this zero-day vulnerability. Additionally, this exploit has already been integrated into some popular exploit kits.
Currently, the following Exploit Kits using Flash Player zero-day, now identified as CVE-2015-5122, have been found:
Also in Hacking Team’s arsenal is the UEFI BIOS rootkit, malicious code that allows hackers to gain persistence for its spyware software even if victims format their hard drive to reinstall the operating system.
“Hacking Team uses a UEFI BIOS rootkit to keep its Remote Control System (RCS) agent installed on its targets’ systems. This means that even if the user formats the hard drive, reinstalls the operating system, and even buys a new hard drive, the agents are not implanted until Microsoft Windows is started,” according to Trend Micro.
Related article:Linux for ethical hackers 101 by Blackhat Pakistan
The UEFI BIOS rootkit used by Hacking Team was specifically designed to compromise UEFI BIOS systems developed by two of the most popular vendors, Insyde and AMI.
Hacking Team experts explained that attackers need physical access to the target computer in order to operate the UEFI BIOS rootkit using BIOS flashing.
“The Hacking Team presentation claims that a successful infection requires physical access to the target system; however, we cannot rule out the possibility of remote installation. An example attack scenario might be: An intruder gains access to a target computer, reboots into UEFI, dumps the BIOS, installs a BIOS rootkit, reformats the BIOS, and then reboots the target system. the post continues.
To prevent this type of attack, Trend Micro recommends:
- Make sure UEFI SecureFlash is enabled
- Update the BIOS whenever there is a security patch
- Set the BIOS or UEFI password
Trend Micro experts who analyzed the data package of the stolen data also discovered a fake news app that was designed to bypass filtering on Google Play. The malicious app was downloaded only 50 times before it was removed from Google Play on July 7.
The app was called “BeNews” and it’s a backdoor app that uses the defunct website “Benews”
“We found the source code of the backdoor in the leak, including a document that teaches customers how to use it. Based on this, we believe that Hacking Team provided the app to customers to use as bait to download the RCS Android malware onto the target Android device,” according to a blog post published by TrendMicro.
The backdoor contained in the app is called “ANDROIDOS_HTBENEWS.A” and affects Android devices from version 2.2 Froyo to 4.4.4 KitKat. The backdoor exploits CVE-2014-3153, a local privilege escalation flaw.
“Looking at the routines of the app, we believe that the app can bypass the Google Play restrictions using dynamic loading technology. Initially, it requires only three permissions and can be considered safe according to Google security standards, as no exploits can be found in the application. However, dynamic loading technology allows an application to download and run a piece of code from the Internet. It doesn’t load the code when Google verifies the app, but sends the code later once the victim starts using it.” The post continued.
The leaked listing also includes detailed instructions on how Hacking Team clients could manipulate the backdoor:
|CVE-2015-0349||Adobe||Use-after-free vulnerability in Adobe Flash Player before 126.96.36.1991 and 14.x through 17.x before 188.8.131.52 on Windows and OS X and before 184.108.40.2067 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0351, CVE-2015-0358, and CVE-2015-3039.|
|CVE-2015-5119||Adobe||Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 220.127.116.116 and 14.x through 18.104.22.168 on Windows and OS X and 11.x through 22.214.171.1248 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.|
|CVE-2015-2387||Windows Kernel||ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka “ATMFD.DLL Memory Corruption Vulnerability.”|
|CVE-2015-2419||Microsoft Internet Explorer||JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “JScript9 Memory Corruption Vulnerability.”|
|CVE-2015-5122||Adobe Flash||Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 126.96.36.1992 on Windows and OS X, 14.x through 188.8.131.52 on Windows and OS X, 11.x through 184.108.40.2061 on Linux, and 12.x through 220.127.116.11 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.|
|CVE-2015-5123||Adobe Flash||Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 18.104.22.1682 on Windows and OS X, 14.x through 22.214.171.124 on Windows and OS X, 11.x through 126.96.36.1991 on Linux, and 12.x through 188.8.131.52 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.|
|CVE-2014-3153||Linux Kernet, exploited to target Android Systems||The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.|
|UEFI BIOS rootkit|
Hacking Team Flash Zero-Day exploits are used in the wild
While major security firms analyzed the exploit code leaked online, cyber criminals were incorporating it into major criminal software suites, including Angler EK and Neutrino EK.
“This is one of the fastest documented cases of instant weaponization in the wild, possibly due to the detailed instructions left behind by Hacking Team.” Reported by Malwarebytes, which refers to the inclusion of exploit codes in Neutrino EK.
The website “Malware Don’t Need Coffee” also reported that Angler EK and Nuclear EK already contained exploits for new vulnerabilities targeted by code developed by Hacking Team a few days after the hack.
Fiddler and Neutrino were the first crimeware suites to be updated to include the new exploits; the attack scenario requires installing a vulnerability on a compromised website to infect visitors by exploiting an Adobe Flash flaw and running malicious arbitrary code on the target computer.
Security researchers have discovered other cases related to the use of the Hacking Team exploit in the wild, for example, experts from Trend Micro found that this particular zero-day exploit was used in cyber attacks on South Korea and Japan.
“In late June, we learned that a user in Korea was the tentative target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year. Traffic logs indicate that the user may have received phishing emails with attached documents. These documents contained a URL that the user can visit; this URL led to a website hosted in the United States that contained a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets an Adobe zero-day vulnerability that was exposed during the Hacking Team leak. We noticed that this exploit was downloaded to the user’s computer several times per week,” Trend Micro wrote.
“We also found that the domain that hosted the exploit code was visited by other users. While many of these users were also in Korea, one of them was located in Japan. This activity started already on June 22. We cannot confirm that they too have been subject to abuse attempts, but it is likely.’
The researchers confirmed that the zero-day exploit code they analyzed was very similar to the exploit code contained in the Hacking Team Package. This circumstance suggests that the attackers had access to hacking tools offered by Hacking Team.
“We believe this attack was generated by Hacking Team’s attack package and code,” according to Trend Micro.
Despite Adobe quickly patching the bugs, according to security solutions provider Volexity, some Adobe Flash Player exploits have been exploited by advanced persistent threat (APT) groups, including China’s Wekby APT (aka APT 18, Dynamite Panda and TG-0416). .
Volexity experts have confirmed that the Flash Player exploit has been used in a number of cyberattacks led by APTs and common criminal groups.
“The exploit has since been added to the Angler Exploit Kit and integrated into Metasploit. But not to be outdone, APT attackers have also started using the exploit in targeted spear phishing attacks,” according to a blog post published by the company.
Experts speculate that the Wekby group is an APT that hacked community healthcare systems and exploited 4.5 million patient records from the target by exploiting the Heartbleed vulnerability.
Wekby APT sent victims phishing messages titled “Important: Flash Update” in an attempt to exploit Flash Player zero-day patch release news.
The campaign was launched to compromise victims’ systems and serve the Gh0st RAT. Experts noted that the C&C used by the Wekby group is located in Singapore and has already been used by the same threat actor in the past.
The malicious messages were sent using a spoofed Adobe email address and contained a link apparently pointing to an official Adobe download domain, which linked to a domain set up to serve a SWF file created to exploit CVE-2015-5119.
The tags found by experts in the SWF file indicate that the code for the Adobe exploits is the same that was leaked in the Hacking Team hack.
At the time of writing, an announcement obtained by The Daily Beast warns that Russian hackers are now targeting Pentagon systems, “U.S. government agencies and private sector companies” exploiting one of the flaws in Adobe Flash revealed after the Hacking Team hack.
Who is behind the attack?
It is completely impossible to attribute the attack to a specific threat actor, there are many hypotheses circulating on the Internet. I want to start with a statement by David Vincenzetti, CEO of Hacking Team, published in the Italian newspaper La Stampa.
“Given its complexity, I think the attack must have been carried out at the government level or by someone with huge financial resources,” David Vincenzetti said.
He did not speculate on who it might have been, but it points to a state-sponsored hacking group.
Recall that a similar incident occurred last year when the hacker group “PhineasFisher” attacked the controversial surveillance technology company Gamma International. The attackers claimed to have successfully infiltrated Gamma International’s network and leaked 40GB of internal data, including details on the spread of the FinFisher surveillance system.
The same hacker has now claimed responsibility for hacking Hacking Team, according to MotherBoard.
“I reached out to the hacker on Sunday night while he was in control of the Hacking Team Twitter account via @hackingteam direct message. At first, PhineasFisher responded with sarcasm, saying he was willing to chat because “we got such good publicity from your last story!” referring to a recent story I wrote about a company CEO claiming to be able to crack the dark web. ” wrote Lorenzo Franceschi Bicchierai. “He then went on to link to the story publicly on Twitter and posted a screenshot of an internal email that linked to my story.
However, he then also claimed to be PhineasFisher. To prove it, he told me he would use the parody account he used to promote the FinFisher hack last year to claim responsibility.”
“I’m the same person behind the hack,” he told me before going public.
My personal opinion completely excludes the involvement of a foreign government, I do not rule out that in the past state-sponsored hackers have already compromised systems at Hacking Team, but this event suggests a different hypothesis to me.
Given the nature of the activities carried out by Hacking Team, I believe it is preferable for a government that has compromised its network to remain hidden and siphon off sensitive data. I consider an attack led by a competitor or activist group to be more realistic.
Hacktivists have always considered Hacking Team as a bad company responsible for persecution and censorship around the world, I believe that one of these collective infiltrations penetrated the company many times and over time exfiltrated GB of data and leaked it online to destroy the reputation of the Italian Firm.
How Hacking Team sold products like RCS
Due to the increasing demand for hacking and tracking software worldwide, many security agencies and companies are venturing into reselling hacking and tracking software.
The popular Remote Control System (RCS) spyware designed by Hacking Team gained popularity in early 2010. To cash in on the reseller network, the Italian security firm “RESI Informatica” enters the action. This firm appears to be one of the first RCS vendors and introduced the hacking system to one of the largest ISPs in Tunisia.
One of the largest partners of the dealer network is the Israeli security firm “NICE Systems”. NICE earns about half a million US dollars in one year from the resale of Hacking Teams spyware software. NICE has sold RCS to Asia, Africa, the Middle East and European countries, including Azerbaijan, Uzbekistan, Kuwait, Bahrain, India, Israel and Georgia.
Another partner of the sales network created by Hacking Team is the American multinational company AECOM, which offered RCS directly and through its two subsidiaries; “Tech Check” and “Yes Solution”. Internal emails have shown that ACEOM is engaged in the sale of Hacking Team products and earns more than 19 million US dollars from it.
Another major vendor is Cyberpoint International, a US-based surveillance firm that has been selling RCS in the United Arab Emirates and the Middle East.
An updated list of Hacking Team clients shows that there are many active subscriptions and many countries pay an annual fee. The dealer network is not only based on companies or firms, but also includes individual partners, dealers and contractors. To get an idea of the scale of Hacking Team’s affairs, let’s look at the information processed starting with the leaked email. Internal emails refer to 6,550 devices potentially infected with RCS spyware since 2008, Morocco paid for 2,300 malware licenses, Saudi Arabia for 1,250 and the United Arab Emirates for 1,115 since.
Total client revenue from government clients is €40,059,308, clients documented by internal emails include 23 intelligence agencies, 30 law enforcement agencies and 11 institutions. Mexico is the company’s primary client by revenue ($6.3 million), followed by Italy ($1.9 million) and Morocco.
The hacker team hack is a very big story and too many aspects are still hidden from the public, for example the relationship with the company’s main intelligence agencies, including the Italian one.
Many companies like Hacking Team have been active in the surveillance market for the last decade. Government demand for offensive tools and services is growing like never before. We can’t demonize Hacking Team for legitimate sales, we can argue whether their behavior is ethical or not, but everything done in accordance with current laws is not questionable.
I was honestly surprised by the incident and Hacking Team’s defensive capabilities, what is happening points to serious holes in their infrastructure.
If you ask me if I think what Hacking Team did is ethical, I can tell you that I don’t think it’s ethical to sell hacking tools to governments like Sudan.
Another aspect to consider is the actual damage caused by a data breach that affects surveillance companies like Hacking Team or Gamma International. If the hacked company’s tools are exposed, there is a risk that they will be used by criminal crews and intelligence services in their hacking campaigns, and that is exactly what is happening.
At this time, let’s wait for further information from the ongoing investigations.