Hacking Team Data Leak: Software Vendors Release Fixes; Others Comb Through Emails
This week, Adobe, Oracle and Microsoft patched for several critical vulnerabilities found in the 400GB dump of Hacking Team’s intellectual property and proprietary exploit code that some researchers are still combing through.
On Tuesday, Adobe patched for Flash Player critical vulnerabilities CVE-201-5122 and CVE 2015-5123 in version 18.104.22.168 that could crash and allow an attacker to take control of an affected system. Last week, Adobe released a security update for CVE-2015-5119, another Flash vulnerability found in the Hacking Team data.
On Monday, Mozilla temporarily blocked all versions of the Flash Player plugin up to version 22.214.171.124 on Windows by default as an extra security precaution, and went back to supporting it after a fix was released the following day. Facebook’s Chief Security Officer Alex Stamos also tweeted his stance on Flash:
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.— Alex Stamos (@alexstamos) July 12, 2015
While updates have addressed known Flash vulnerabilities so far, there’s no telling what else may be discovered. Brian Krebs of KrebsonSecurity.com penned an article, A Month Without Adobe Flash Player, detailing just that. I can’t recall how long ago I uninstalled and disabled Flash in my browser and computer, but I haven’t missed it. Axing the anxiety from having it was well worth the tradeoff.
According to eWeek.com, Oracle also fixed 193 unique CVEs in July, including CVE-2015-2590, a zero-day flaw in Java from the Hacking Team breach. The CVE was being actively exploited in a phishing email campaign that linked to data-stealing malware. Oracle has released a patch to address this issue as well as 24 other Java vulnerabilities.
And yet another critical memory corruption vulnerability affects Microsoft’s Internet Explorer (IE) 11 browser, CVE-2015-2425, which was also revealed in the Hacking Team breach. Microsoft also released a patch on Tuesday to fix 28 bugs in IE.
While software vendors work to release updates for the vulnerabilities, Wikileaks has released a searchable database of Hacking Team’s emails, citing that the “internal emails show the inner workings of the controversial global surveillance industry.”
ZDNet.com reports that the FBI communicated with the company to track down a target that was using Tor, the anonymous network. An email reveals an FBI agent asking if the latest version of their Remote Control System (RCS) tool could reveal the true IP address of a target using Tor. The FBI agent also mentioned potentially using a phishing email sent with a document or PDF attachment to hopefully install the scout.
It’s revealed that Hacking Team would also target individuals on behalf of clients - including security researchers, journalists and human rights activists.
I suppose this is all a good reminder that exploit tactics can and are used by all types of groups - criminal, financial-seeking, and even national security and law enforcement agencies.