Hacking Team 0-Day Shows Widespread Dangers Of All Offense, No Defense
While the Italian surveillance company sells government agencies high-end zero-day proof-of-concept exploits, it secures root systems with the password P4ssword. Whats vulnerability commoditization got to do with it?
A critical zero-day vulnerability can fetch a high price on the black market. Or everyone can have it for free, and criminals can pack it into a variety of exploit kits and roll it into the wild. Super-sophisticated spyware may require great skill to develop or lots of cash to buy in the criminal underground. Or, the source code could just show up on BitTorrent, and be good to go with a little customization.
This weeks
doxing attack and breach of Italian surveillance software company Hacking Team
shows just how such things can happen -- a combination of great offense and terrible defense.
The attacker who has now taken responsibility for the Hacking Team breach hasnt revealed his methods yet, but based upon what we now know about the companys internal security, bad password practices -- not just by regular users, but by security staff -- likely has something to do with it.
Is this all preventable, or is this to be expected when vulnerabilities are commoditized, and the highest bidders are not the companies whose software needs fixing?
The breach
Milan-based Hacking Team sells highly invasive surveillance software, but only, it says, to government; specifically to governments that have kept off the U.S., E.U., U.N., NATO or ASEAN blacklists. However, the attackers revealed internal documents showing that Hacking Team had also sold its products and services to countries with histories of human rights violations, including Sudan, Egypt, Russia, and many others.
Also, the source code for the companys flagship software, Remote Control System, was breached. The company told its customers to cease use of the product until further notice.
Also revealed Monday: Hacking Team was discovering and selling software vulnerabilities and proof-of-concept exploit code. Among them was a critical Adobe Flash vulnerability (with POC) affecting all versions of Flash running in Internet Explorer, Firefox, Chrome, and Safari on Windows, Mac, and Linux. It was disclosed to Adobe by Google Project Zero and researcher
Morgan Marquis-Boire
, and has been dubbed CVE-2015-5119.
From vulnerability to exploit
It appears that Hacking Team did sell CVE-2015-5119, because according to
Trend Micro research released today
, it was used in limited attacks in Japan and Korea before the vulnerability was publicly revealed in this weeks breach. Trend Micro first found exploits July 1, but they may have started in late June.
The rest of the world got access to the vulnerability Monday. Jerome Segura, senior security researcher of Malwarebytes Labs, says normally, attackers would take a few days to convert a vulnerability into an exploit.
This one, he says, I knew it was going to be faster.
Usually, attackers dont have clear, extensive documentation to help them develop exploits. Yet, thats precisely the sort of information Hacking Team provided to their customers, and was thus was leaked to the world.
All the code was there, with instructions, Segura says. Here it is on a silver platter.
By Tuesday at 3 p.m., Malwarebytes Labs saw code compromising the vulnerability in the wild, as part of the Neutrino exploit kit. Within minutes it appeared in the Angler, then the Nuclear exploit kits, too.
Which was very strange, he says. Almost like the bad guys were working together or they were racing each other. He doesnt believe they were actually working together, because the exploits were different.
Adobe issued
an advisory
Tuesday, stating that the successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
One of the payloads being spread by exploiting this zero-day is the CryptoWall 3.0 ransomware,
according to Trend Micro
.
Adobe released a patch today
and advises to install the patch as soon as possible.
Bad defense
How was Hacking Team compromised, allowing this gray-hat tradecraft to emerge? Bad passwords, possibly.
Phineas Fisher
has come forth to take responsibility for the attack, but so far hes not sharing details.
However, there is reason to believe bad passwords and overuse of them is partly to blame. According to data exposed in the doxing attack, the
companys managing director used the password Passw0rd across every corporate system
. And it wasnt just the non-IT staff. Among the
root passwords exposed is P4ssword.
That is a popular choice for the companys senior security and systems engineer Christian Pozzi,
according to reports
that he uses the same username/password combination, with the weak password P4ssword for many accounts accessed via Firefox.
The Hacking Team is composed of hackers and security engineers working for the government. They have access to highly confidential data and they likely have a target on their back, says Darren Guccione, CEO of Keeper Security. Despite whether these passwords were currently in-use or the cause of the breach, reusing the same passwords or using weak passwords is a serious cause for concern for a team of government security experts and hackers.
Segura says that security experts need to apply the same best practices to the software they put on the market, particularly since it often runs with higher privileges than regular applications.
We go after malware and were good at it, but how many of our products are secure? Thats a question we have to ask ourselves, he says. Anti-virus is installed on a lot of machines. That itself is a really nice target. ... We know [attackers] dont like us. But they havent gone yet to were not going to disable you, were going to use you.
0-Days for Sale
The case where I have the most concern is the non-disclosure of the zero-day, says Fengmin Gong, founder and CSO of Cyphort. Not disclosing it responsibly to a vendor ... I think that is a very dangerous precedent.
Gong says vendors are aware theyre in competition with criminals for getting their hands on vulnerabilities first, which is why they started paying bug bounties.
Yet, when the good guys get into the business of selling vulnerabilities too, Its very hard to draw that line of who to sell to, Gong says.
Even if they are ethical about choosing their customers, Gong adds that businesses like Hacking Team cannot be sure their customers will be the only ones to use those products, or if theyll give them to someone else. Thats why that whole business is a risky proposition to begin with, he says.
[Gongs colleague, Cyphort malware reverse engineer Marion Marschalek, along with Morgan Marquis-Boire who reported the Flash vulnerability to Adobe, will be presenting a session about the
peculiarities of nation-state malware research
at Black Hat next month.]
The market for zero-day vulnerabilities is alive and well and as the Hacking Team breach has revealed is also highly profitable, says Ken Westin, senior security analyst for Tripwire. As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully.
“Governments around the world are focusing their resources on offensive techniques, which means, ironically, they are doing many of the same things as the ‘bad guys’ -- building malware and surveillance tools similar to spyware, says Mark Kraynak, chief product officer of Imperva. If anyone is worried about the distribution of malware information represented by this breach, they should remember the ‘bad guys’ are already using these exploits and doing so much more with them.
Gong points out that it isnt just the zero-day the Hacking Team breach gave to the bad guys; its also the source code for the Remote Control System surveillance software -- sophisticated spyware. That, he says, will have an impact weve yet to feel. The underground will easily adopt them.
Tags:
Hacking Team 0-Day Shows Widespread Dangers Of All Offense, No Defense