Researchers find previously unknown exploits among Hacking Team's leaked files

At least one new exploit for Flash Player has been confirmed

Big Data

Big Data

Researchers sifting through 400GB of data recently leaked from Hacking Team, an Italian company that sells computer surveillance software to government agencies from around the world, have already found an exploit for an unpatched vulnerability in Flash Player.

There are also reports of exploits for a vulnerability in Windows and one in SELinux, a Linux kernel security module that enforces access control policies. The flaws were supposedly used by the company's customers to silently deploy its software on computers belonging to surveillance targets.

Hacking Team was incorporated as HT in Milan and develops a computer surveillance program called Remote Control System (RCS), or Galileo. The system is sold to law enforcement and other government agencies from around the world, along with access to computer intrusion tools that are needed to deploy it.

News broke out that Hacking Team had its network compromised on Sunday, when the hacker released 400GB worth of data stolen from the company's servers, including email communications, source code, client lists, invoices, various server backups and more.

The company has been accused by privacy and human rights groups in the past of selling its software to governments with a poor track record for respecting human rights which then used it to spy on journalists and political activists. The newly leaked data suggests that the company's customers includes government agencies from countries like Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia and Sudan.

Most antivirus products detect Hacking Team's RCS as malware, but the company actively modifies the program to evade such detection.

The security community had a field day on Monday sifting through the 400GB data dump. They found things like weak passwords stored in text files; key generators and serial numbers for pirated commercial software; the source code for versions of RCS for Windows, Linux, Android, iOS, OS X and other platforms or internal documents explaining the company's services and prices.

More importantly, some security researchers claim to have found exploits for previously unknown and unpatched vulnerabilities -- these are known as zero-day exploits. They suspected that such exploits existed among the files because they're perfect for infecting users' computers with RCS and because the company's documentation suggested so.

For example, one document contains details about a service that Hacking Team calls the RCS Exploit Portal.

"HackingTeam combined its expertise in offensive security and software design to build a service that make simple to prepare and use exploits as installation vectors for RCS agents," the document reads.

According to the document, the service contains social engineering exploits, public exploits, private exploits and zero-day exploits and the company notes that the Exploit Portal always contains at least three zero-day level exploits.

One of the confirmed zero-day exploits found in the data dump affects Flash Player and can be used to infect computers when their users visit websites in Internet Explorer.

Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, tested the exploit and confirmed that it works reliably against the latest version of Flash Player running under Internet Explorer 11 on Windows 7 32-bit.

"We have not been able to get it to run on a fully patched Win 8.1 Pro with Flash installed, but it may just require some tweaking to get around additional protection mechanisms," Eiram said via email.

Adobe is aware of the reported exploit and expects to release an update for Flash Player Wednesday, an Adobe representative said via email.

There were also reports on Twitter from other security researchers about a zero-day exploit in win32k.sys, a Windows component, being found in the Hacking Team data.

Researchers from antivirus firm Trend Micro said in a blog post that the leaked Hacking Team files contain two exploits for Flash Player, one of which is already known and has been patched, and one for the Windows kernel.

Eiram's team is also looking at a potentially new Windows privilege escalation exploit that might be the same one mentioned in the other reports, but he couldn't comment beyond that because the issue hasn't been fully investigated or confirmed.

Microsoft did not immediately respond to a request for comment.

Other users reported on Twitter and Reddit that Hacking Team's data also contains an exploit for bypassing the SELinux enforcements, but that has yet to be confirmed as well.

The Hacking Team data leak and revelations come amid proposed changes to an international arms control pact called the Wassenaar Arrangement, that would restrict the export of exploits and other computer intrusion software.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusionsecurityRisk Based Securitydata breachExploits / vulnerabilitiesmalwareHacking Team

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?