Mitigating Effects of the Hacking Team Fallout
The effects of the Hacking Team hack are still being felt, but some are trying to help organizations do some damage control and look for signs of infection from their spyware. Researchers at Rook Security and Facebook have released tools that can help detect the malware on your systems, according to Threatpost.
Indianapolis-based Rook Security has designed a free scanning tool called Milano to search for hashes of known Hacking Team files. In efforts to ensure full transparency, the company released the tool’s source code on GitHub. This is the first tool they’ve released to the public for free.
The company has also provided a pretty detailed malware analysis of the Hacking Team data dump. One malicious app targeting Windows users aims to obtain data from a compromised system, with a long list of capabilities, from keylogging to Skype recording to obtaining browser history and clipboard content, and more. Hacking Team’s Remote Control Access tool also contains components that can hide itself on a hard drive and install malicious apps as root on devices.
Facebook also released an update for its osquery tool. The company now offers query packs that can help network security monitoring by allowing you to group queries by function or problem domain into easily downloadable and updatable files, also available on GitHub.
Facebook’s queries in their incident response pack allows you to detect and respond to breaches, with attack-related data that indicates exploitation, installation, command and control and lateral movement - all of the basic phases of a typical attack. Basically, if an attacker disables a firewall or installs a hacking tool like keychaindump, which reveals unlocked credentials, Facebook’s query pack will collect the data to alert you to these actions.
And yet another query pack, the OS X-attacks pack, can identify known variants of malware, including advanced persistent threats (APT), adware and spyware.
Meanwhile, it’s hard to tell when we’ll reach the peak of the Hacking Team crescendo, as the hits keep on coming. Last week, HP’s Zero Day Initiative (their bug bounty program), identified four new zero days in Microsoft’s Internet Explorer that can lead to remote code execution via typical drive-by attacks. That means any user that visits a malicious page or opens a malicious file could be infected by these exploits.
Another topic that deserves far greater discussion than can be had here in this blog is that of Hacking Team’s purchasing of zero-day vulnerabilities and exploits. Bruce Schneier of Schneier on Security referenced an article on the topic by Vlad Tasyrklevich who stated that the “Hacking Team’s email archive offers one of the first public customer stories of the market for 0days.”
Basically, these now-public documents reveal the inner-workings of a typically very secretive market and long-debated argument over the ethics of vulnerability disclosures.
But it wasn’t just sales, some contend - Hacking Team may have appropriated other publicly-available tools to supplement their monitoring software, such as Collin Mulliner’s Android tools for audio capture. Apparently, some of his original files were found in the Hacking Team dump, according to his blog, and some thought he may have written up tools for the company, which was not the case.
Others have dubbed the Hacking Team’s Remote Control System (RCS) to be “the most sophisticated Android malware ever exposed,” revealing that the company delivered its spyware via a fake app hosted on Google Play.
Stay tuned - more is sure to come for the infosec community in the Hacking Team revelations...