When Hackers Become Targets
The hacking team hack
On July 6 2015, unknown hackers posted online source code, internal emails and sensitive data stolen from the systems of the Italian surveillance firm Hacking Team.
The Italian firm was longer debated due to the hacking solutions and services it offers to governments worldwide. Many experts and privacy advocates argue that the company has sold in the past products to dictatorial regimes, including Lebanon, Oman, Saudi Arabia, and Sudan. For this reason, the hacktivists at Reporters Without Borders marked the company as an Enemy of the Internet.
Figure 1 – Part of the Hacking Team material leaked online
The stolen data has been uploaded to BitTorrent; it includes a huge number of directories containing source code of exploits used by the firm for its surveillance software, emails, contracts, invoices, and audio recordings.
Among the software solutions sold by the Hacking Team, there is the Remote Control System RCS, also known as Galileo, and the Da Vinci backdoor. While the source code was leaked online, the hackers also took over the social media account of the Hacking Team that they used to spread the news of the hack and the availability of the material online.
Figure 2 -Hacking Team Twitter Account Hacked.
Curiously one of the mail shared by the hackers refers a conversation of the CEO of hacking team David Vincenzetti, which share the news related the hacking of their competitor FinFisher, another powerful surveillance software developed by Gamma Group.
Figure 3 – Hacking Team Internal Email
The internal emails demonstrate that the Hacking Team is doing business with oppressive governments.
Experts that are analyzing the stolen data are starting to share news regarding the documents it includes such as:
The invoice for 58,000 Euro to Egypt for Hacking Team’s RCS Exploit Portal. (Source Csoonline)
An email from a person linked to several domains allegedly tied to the Meles Zenawi Foundation (MZF), Ethiopia’s Prime Minister. In the email, Biniam Tewolde thanks to Hacking Team for its services. It seems Ethiopia paid $1,000,000 Birr (ETB) for Hacking Team’s Remote Control System, professional services, and communications equipment.
An invoice of 480,000 Euro demonstrates that the Hacking Team have done business with Sudan with used also surveillance software to track and suppress dissidents.
Documents, shared by SynAckPwn with Salted Hash, related the maintenance agreement status of a number of customers includes Russia and Sudan as clients of the Hacking Team. They are flagged as “Not officially supported”.
Figure 4 – Maintenance agreement shared by SynAckPwn with Salted Hash
According to internal documents leaked by hackers, the Hacking Team has done business with organizations and governments in the following locations:
Egypt, Ethiopia, Morocco, Nigeria, Sudan, Chile, Colombia, Ecuador, Honduras, Mexico, Panama, United States ,Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand, Uzbekistan, Vietnam, Australia, Cyprus, Czech Republic, Germany, Hungary, Italy, Luxemburg, Poland, Russia, Spain, Switzerland, Bahrain, Oman Saudi Arabia, UAE.
Figure 5 -The Twitter account of Christian Pozzi (@christian_pozzi), a representative of the company hacked
The post incident was embarrassing for the company that in the attempt to limit the diffusion of its code spread the news that leaked material available online was infected.
The representative of the Hacking Team firm, Christian Pozzi, claimed the leak of sensitive internal material contains a virus, and invited people to avoid downloading it.
Pozzi of course has denied Hacking Team has never sold surveillance malware to “bad states,” instead; he described its products as “custom software solutions”.
“No, the torrent contains all of your viruses, which you sell, and which will get patched,” said John Adams, former security worker on Twitter.
MotherBoard news portal, citing as a source a person close to the company who has spoken on condition of anonymity, revealed that the Hacking Team asked all its customers to shut down all the operations and don’t use its spyware.
“They’re in full on emergency mode,” reported a source of MotherBoard who has inside knowledge of Hacking Team’s operations. “Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, reported MotherBoard.
One of the internal document leaked by the hackers revealed the existence of a “crisis procedure” to activate in case of serious incidents. The process includes a remote kill switch for company platform and spyware, this means that company has the ability to suspend its backdoors or shut it down remotely.
The situation is becoming even more dramatic for the company hour after hour, another embarrassing thing related to the hack is that every copy of Hacking Team’s Galileo software is watermarked; this means that the hackers that have stolen data can link every instance of the malware to a specific account and customer.
“With access to this data it is possible to link a certain backdoor to a specific customer. Also there appears to be a backdoor in the way the anonymization proxies are managed that allows Hacking Team to shut them off independently from the customer and to retrieve the final IP address that they need to contact,” the source told Motherboard.
The Hacking Team Arsenal
The hack of the Hacking Team firm has caused the exposure of 400GB of corporate data, including exploits source code (GitHub repository). The experts that analyzed the dump of data released on the Internet discovered a number of zero-day exploits targeting common applications such as Adobe Flash, Internet Explorer, and Android OS. The access to a number of zero-day exploits allowed the company to target a large number of users without being notices.
A first look to the stolen package allowed experts at Trend Micro to discover at least three different software exploits, two designed to hack Adobe Flash Player and one for Microsoft’s Windows kernel.
“The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.” states the post published by Trend Micro.
The experts at the Hacking Team described the second Flash Player exploit as “the most beautiful Flash bug for the last four years,” the flaw was coded as CVE-2015-5119 after its disclosure.
“One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given the CVE number,” continues the post.
A Proof-of-concept code for exploit of the vulnerability was also included in the cache of internal information leaked by the attackers; this means that given the source of the proof-of-concept code, threat actors worldwide could exploit it in the wild.
The Flash zero-day proof-of-concept (POC) exploit code was successfully working with the latest version of Adobe Flash (version 220.127.116.11) with Internet Explorer. The flaw affects the major browsers, including Internet Explorer, Safari, FireFox and Chrome.
As anticipated, the experts also discovered a memory corruption flaw (CVE-2015-2387) in the Adobe Type Manager Font Driver (ATMFD.DLL). The exploitation of the flaw allows attackers to take complete control of vulnerable systems. According to Microsoft, the vulnerability has been exploited in limited, targeted attacks.
As the days passed, experts from several security firms were discovering new exploits in the arsenal of the Hacking Team.
One of the zero-day vulnerabilities is a Jscript9 memory corruption vulnerability (CVE-2015-2419) identified by researchers at Vectra Networks. The flaw affects Internet Explorer 11 and it can be exploited to gain complete control of a vulnerable system.
The analysis of the archive revealed new surprises; Adobe gives credits to Dhanesh Kizhakkinan of FireEye for reporting CVE-2015-5122 and Peter Pi of TrendMicro for reporting CVE-2015-5123 and for working with Adobe to help protect our customers.
The CVE-2015-5123 flaw has a similar PoC as the one released immediately prior (CVE-2015-5122), but it has not yet been added to the arsenals of any active exploit kits. This new zero-day affects Adobe Flash Player up to version 18.104.22.168.
Differently from previously reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray.
The vulnerability can be triggered by the following steps:
From a new BitmapData object, prepare two Array objects, new two MyClass objects, and assign theMyClass object to each Array objects.
Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the two Arrayobjects as parameters. The BitmapData.paletteMap will trigger the valueOf function.
In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapDataobject, thus causing Flash Player to crash.
The experts at Trend Micro are monitoring the proof-of-concept (POC) for any active attacks that may employ this vulnerability.
The experts seeing proof-of-concept (PoC) code predicted the situation could escalate quickly in the next few days. This new zero-day affects Adobe Flash Player up to version 22.214.171.124
A Metasploit Module has already been created that exploits this zero-day vulnerability. Additionally, this exploit has already been integrated into some popular exploit kits.
Currently, the following Exploit Kits have been found exploiting the Flash Player zero-day, now dubbed CVE-2015-5122:
In the arsenal of the Hacking Team, there is also a UEFI BIOS rootkit, a malicious code that allows hackers to gain persistence for its spyware software even if the victims will format their hard disk to reinstall the Operating System.
“Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.“ states Trend Micro.
The UEFI BIOS rootkit used by the Hacking Team was specifically designed to compromise UEFI BIOS systems developed by two of the most popular vendors, Insyde and AMI vendors.
The experts at the Hacking Team explained that attackers need physical access to the target machine to serve the UEFI BIOS rootkit by flashing the BIOS.
“A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation. An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system.” continues the post.
To prevent this kind of attack Trend Micro recommends:
Make sure UEFI SecureFlash is enabled
Update the BIOS whenever there is a security patch
Set up a BIOS or UEFI password
Experts at Trend Micro analyzing package of data stolen data discovered also a fake news app that was designed to circumvent filtering in Google Play. The malicious app was downloaded only 50 times before being removed from Google Play on July 7.
The app was called “BeNews” and is a backdoor app, that takes advantage of the extinct site “Benews”
“We found the backdoor’s source code in the leak, including a document that teaches customers how to use it. Based on these, we believe that the Hacking Team provided the app to customers to be used as a lure to download RCS Android malware on a target’s Android device.” States the blog post published by TrendMicro.
The backdoor included in the app is called “ANDROIDOS_HTBENEWS.A” and affects android devices from version 2.2 Froyo to 4.4.4 KitKat. The backdoor exploits the CVE-2014-3153 vulnerability, which is a local privilege escalation flaw.
Figure 6 – Hacking Team Fake News App
“Looking into the app’s routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards, as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.” Continues the post.
The leaked dump also includes detailed instructions on how the Hacking Team’s clients could manipulate the backdoor:
Figura 7 – BeNews instructions
|CVE-2015-0349||Adobe||Use-after-free vulnerability in Adobe Flash Player before 126.96.36.1991 and 14.x through 17.x before 188.8.131.52 on Windows and OS X and before 184.108.40.2067 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0351, CVE-2015-0358, and CVE-2015-3039.|
|CVE-2015-5119||Adobe||Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 220.127.116.116 and 14.x through 18.104.22.168 on Windows and OS X and 11.x through 22.214.171.1248 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.|
|CVE-2015-2387||Windows Kernel||ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka “ATMFD.DLL Memory Corruption Vulnerability.”|
|CVE-2015-2419||Microsoft Internet Explorer||JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “JScript9 Memory Corruption Vulnerability.”|
|CVE-2015-5122||Adobe Flash||Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 126.96.36.1992 on Windows and OS X, 14.x through 188.8.131.52 on Windows and OS X, 11.x through 184.108.40.2061 on Linux, and 12.x through 220.127.116.11 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.|
|CVE-2015-5123||Adobe Flash||Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 18.104.22.1682 on Windows and OS X, 14.x through 22.214.171.124 on Windows and OS X, 11.x through 126.96.36.1991 on Linux, and 12.x through 188.8.131.52 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.|
|CVE-2014-3153||Linux Kernet, exploited to target Android Systems||The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.|
|UEFI BIOS rootkit|
Hacking Team Flash Zero-Day exploits are being used in the wild
While principal security firms were analyzing the code of the exploits leaked online, cyber criminals were including them in the principal crimeware kits, including the Angler EK and Neutrino EK.
“This is one of the fastest documented case of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by Hacking Team.” Reported Malwarebytes that refers the inclusion of the exploit codes to the Neutrino EK.
The website “Malware Don’t Need Coffee” also reported that Angler EK and Nuclear EK a few days after the hack were already including the exploits for the new vulnerabilities targeted by the code developed by the Hacking Team.
Fiddler and Neutrino were the first crimeware kits updated to include the new exploits; the attack scenario requests the installation of the vulnerability on a compromised websites in order to infect visitors by exploiting the Adobe Flash bug and execute malicious arbitrary code on the targeted machine.
Security researchers discovered other cases related the usage of Hacking Team exploit code in the wild, experts at Trend Micro for example discovered that this particular zero-day exploit was used in cyber-attacks on South Korea and Japan.
“In late June, we learned that a user in Korea was the attempted target of various exploits, includingCVE-2014-0497, a Flash vulnerability discovered last year. Traffic logs indicate the user may have received spear phishing emails with attached documents. These documents contained a URL for the user to visit; this URL led to a site hosted in the United States that contained a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the Hacking Team leak. We noticed that this exploit was downloaded to the user’s machine several times in a week.” wrote Trend Micro.
“We also found that other users had also visited the domain that hosted the exploit code. While many of these users were also in Korea, one of them was located in Japan. This activity started as early as June 22. We cannot confirm that they too were the subject of exploit attempts, but this is likely.”
The researchers confirmed that the zero-day exploit code they analyzed was very similar to the exploit code included in the Hacking Team Package. This circumstance suggests that the attackers had access to the hacking tools offered by the Hacking Team firm.
“We believe this attack was generated by Hacking Team’s attack package and code,” states Trend Micro.
Despite Adobe promptly patched the flaws, according to security solutions provider Volexity, some of the Adobe Flash Player exploits have been leveraged by advanced persistent threat (APT) groups, including the Chinese Wekby APT (aka APT 18, Dynamite Panda and TG-0416).
Experts at Volexity confirmed that the Flash Player exploit has been leveraged in a number of cyber-attacks run by APTs and by common criminal groups.
“The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit. However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well,” reports the blog post published by the company.
The Wekby APT sent spear phishing messages to the victims titled “Important: Flash update” trying to exploit the news of the release of the patch for Flash Player zero-day.
Figure 8 – Wekby phishing message
The campaign was launched to compromise victims’ systems and serve the Gh0st RAT. Experts noticed that the C&C used by the Wekby group is located in Singapore and was already used in the past by the same threat actor.
The Wekby were sent out the malicious messages by using a spoofed Adobe email address and they included a link apparently pointing to the official Adobe download domain that was referring a domain set up to serve the SWF file crafted to exploit the CVE-2015-5119.
The Labels found by the experts in the SWF file suggest that the code for the Adobe exploits is the same leaked in the Hacking Team hack.
Figure 9 – FramLabel used in the SWF used by hackers
At the time I was writing a notice obtained by The Daily Beast, warns that Russian hackers are now targeting the Pentagon systems , the “U.S. government agencies and private sector companies” exploiting one of the flaws in Adobe Flash disclosed after the hack of the Hacking Team firm.
Who is behind the attack?
It’s quite impossible to attribute the attack to a specific threat actor, on the internet many hypotheses have been circulating. I desire to start with the declaration of David Vincenzetti, the CEO of Hacking Team, released at the Italian newspaper La Stampa.
“Given its complexity, I think that the attack must have been carried out at a government level, or by someone who has huge funds at their disposal,” said David Vincenzetti.
He did not speculate on who it might have been, but it is pointing to a state sponsored hacking crew.
Let’s remind that a similar incident occurred last year, when the hacking crew “PhineasFisher” hacked the controversial surveillance tech company Gamma International. The attackers claimed to have successfully infiltrated the network of Gamma International and leaked 40GB of internal data, including details on the diffusion of the surveillance system FinFisher.
The same hacker has now claimed responsibility for Hacking Team hack, according to MotherBoard.
“On Sunday night, I reached out to the hacker while he was in control of Hacking Team’s Twitter account via a direct message to @hackingteam. Initially, PhineasFisher responded with sarcasm, saying he was willing to chat because “we got such good publicity from your last story!” referring to a recent story I wrote about the company’s CEO claiming to be able to crack the dark web. ” wrote Lorenzo Franceschi Bicchierai. “He then went on to reference the story publicly on Twitter, posting a screenshot of an internal email that included the link to my story. Afterwards, however, he also claimed that he was PhineasFisher. To prove it, he told me he would use the parody account he used last year to promote the FinFisher hack to claim responsibility.”
“I am the same person behind that hack,” he told me before coming out publicly.”
My personal opinion completely excludes the involvement of a foreign government, I don’t exclude that is the past state sponsored hackers have already compromised the systems at Hacking Team, but this event suggests me a different hypothesis.
Due to the nature of the activities conducted by the Hacking Team, I consider more profitable for a government that compromised its network to remain hidden and syphon over the time sensitive data. I consider more realistic an attack run by a competitor or a group of activists.
Hacktivists have always considered the Hacking Team a Bad company responsible for persecutions and censorship worldwide, I believe that one of these collective infiltrate the company many times ago and over the time have exfiltrated GB of data and leaked it online to destroy the reputation of the Italian Firm.
How Hacking Team was selling products as RCS
Due to rising demand of hacking and surveillance software worldwide, many security agencies and firms get into the business of reselling the hacking and surveillance software.
The popular spyware Remote Control System (RCS) designed by Hacking Team got popularity in early 2010. To earn from reseller network, an Italian based security firm “RESI Informatica” comes into action. This firm seems to be one of the earliest resellers of RCS and introduced the hacking system to one of the biggest ISP in Tunisia.
One of the biggest partners of reseller network is Israel based security firm “NICE Systems”. NICE earns about half million US Dollars in one year from reselling Hacking Teams’ Spyware software. NICE sold the RCS to Asian, African, Middle East and European countries, including Azerbaijan, Uzbekistan, Kuwait, Bahrain, India, Israel and Georgia.
Another partner of sale network established by the Hacking Team is the US based multinational company AECOM, which offered RCS directly and through its two subsidiaries; “Technology Control” and “Yes Solutions”. Internal emails proved that ACEOM is engaged in the business of selling Hacking Team’s Products and earn more than 19 million US Dollars from this.
Another big reseller is Cyberpoint International, a US based surveillance firm that sold RCS in UAE and Middle East.
The updated client list of the Hacking Team shows that there are many active subscriptions and many countries are paying the annual fee. The reseller network is not only based on companies or firms, it also includes individual partners, dealers and contractors. To have an idea of the volume of the Hacking Team affairs, let’s give a look to information elaborated starting from the leaked email. The internal emails refer 6550 devices potentially infected with RCS spyware since 2008, Morocco has paid for 2300 malware licenses, Saudi Arabia for 1250 and the United Arab Emirates since 1115.
The total clients’ revenues from government clients is 40,059,308 Euros, among the clients documented by the internal emails there are 23 Intelligence agencies, 30 law enforcement Agencies and 11 Institutions. Mexico is the primary client of the company per revenues ($6.3 million), followed by Italy ($1.9 Million), and Morocco.
Figure 10 – Infographic Security Affairs – Hacking Team by Numbers
The hacking team hack is a very big story and too many aspects are still hidden to the public, let’s think for example of the relationship with principal intelligence agencies of the company, including the Italian one.
Many companies like Hacking Team have been operating in the surveillance market over the last decade. The request of governments for offensive tools and services is increasing as never before. We cannot demonize the Hacking Team for legitimate sales, we can argue if its behavior is ethical or not, but everything done respecting the current laws are not questionable.
I was sincerely surprised by the incident and by the defensive capabilities of the Hacking Team, what is happening highlights serious holes in their infrastructure.
If you ask me if I consider what Hacking Team was doing ethical, I can tell you that I don’t consider it ethical to sell hacking tools to Governments like Sudan.
Another aspect to consider is the real damage caused by data breach affecting surveillance companies like the Hacking Team or the Gamma International. If the tools of the hacked firm are disclosed, there is the risk that criminal crews and intelligence agencies will use them in their hacking campaigns, and it is exactly what it is happening.
At this point, let’s wait more information from ongoing investigations.