Stolen in a Flash: Zero day exploit taken in Hacking Team breach now in the wild

We’ve all seen the movies: A research lab keeps hazardous biological agents contained in its facilities, where it studies them. Then, somehow, there’s a breach in security and those dangerous substances fall into the hands of terrorists or other bad guys, who use them to wreak havoc.

The virtual-world equivalent of that story is playing out right now and it’s all over the tech news. Hacking Team, an Italian company that provides government and law enforcement agencies world-wide (including in the U.S.) with spying tools was, itself, hacked earlier this month. That must have been embarrassing enough, given that they are used to being on the other end of the intrusion and infiltration equation, but it gets worse.

Hundreds of gigabytes of data were stolen when the company’s servers were attacked and that included a number of spying/surveillance tools and vulnerability exploits that can now be used by the thieves against the rest of us. And that’s not just theoretical; some of those exploits are now being seen in the wild. In particular, an exploit that takes advantage of vulnerabilities in Adobe Flash – which is a frequent target for malware – was almost immediately put to use by attackers.

This particular exploit is being used to deliver such nasty malware as cryptolockers, which can render an infected computer unusable by encrypting everything on the hard drive and then demanding ransom to release the files that are held hostage. The files stolen from Hacking Team reportedly helpfully included detailed instructions for deploying the malicious software.

Since this is a Zero Day exploit, it is important that you update your Flash Player to the latest update as a patch was released yesterday. More information on the update can be found here; https://helpx.adobe.com/security/products/flash-player/apsa15-03.html. Sysadmins using GFI LanGuard to patch their system can already deploy the patch through the software. More information about this can be found here; http://kbase.gfi.com/showarticle.asp?id=KBID004696.

You can also take extra precautions beyond not visiting any web sites where the malware could be surreptitiously downloaded to your computer. The easiest preventative measure is to disable the Flash plug-in in your web browser or set it to play only when you choose to run it.

To disable Flash Player in Chrome, open the Plug-ins page by typing chrome:plugins in the URL address bar. Locate the “Flash” item in the list of plug-ins and click the Disable link beneath the name.  If you don’t want to disable Flash entirely, you can enable the Click-to-Play feature in Settings | Show Advanced Settings | Privacy | Content | Plug-ins. When you select to “Let me choose when to run plugin content,” the browser won’t automatically play Flash content; you’ll have to click the placeholder icon to run it.

To disable Flash in Mozilla Firefox, go to Tools | Addons | Plugins and select Never Activate. Alternatively, you can select Ask to Activate if you want the browser to ask you before running Flash.  Some have reported that even though they change this setting, updates sometimes reset it. Another option with Firefox is to install an extension called Flashblock, which you can find here:
https://addons.mozilla.org/en-US/firefox/addon/flashblock/

To disable Flash in Internet Explorer 10 and 11, click the gear icon in the top right hand corner and select Manage add-ons. In the dialog box, right click on the“Shockwave Flash Object” in the Microsoft Windows Third Party Component section, and then click Disable.

If you want to be able to use Flash on some trusted sites in IE, you can instead turn on ActiveX filtering by clicking the gear icon and then Safety | ActiveX Filtering. Click to put a check mark next to the selection to turn it on. When a site you visit uses Flash, you can click the little blue circular icon at the right side of the address bar to allow Flash to play.

Because this is an exploit with serious consequences have already been identified out there in the wild, it’s important to take steps to protect yourself. Don’t let Hacking Team’s breach cause grief for your organization and users too.

Hacking Team was the subject of controversy before this breach occurred.  It was in the news a while back when its name appeared on a list of “Enemies of the Internet” compiled by an organization of journalists dedicated to freedom of information called Reporters Without Borders, here’s a blog post that provides a map of internet restrictions https://www.comparitech.com/blog/vpn-privacy/internet-censorship-map/. Hacking Team earned this dubious honor because of its DaVinci remote control system that it calls “offensive security” and for selling its products to such countries such as Morocco and the United Arab Emirates. Since the breach, they have been reported to also do business with clients in Saudi Arabia, Lebanon, Kazakhstan, Egypt, Ethiopia, Sudan and other questionable regimes, as well as the U.S., Russia, Switzerland, Spain, Australia and many other countries. DaVinci is designed to break the encryption on emails and other files as well as VoIP protocols such as Skype.

The stolen data was published on Torrent where it was available to the general public. It contained source code for the software, internal documents and email messages, including invoices and other communications with the company’s customers. The perpetrator of the breach is still unknown, but someone also defaced the Hacking Team’s Twitter account.

Update: Since this post was published more vulnerabilities have been found in the Hacking Team data dump. These patches can now be deployed with GFI LanGuard. More information can be found in the GFI Knowledge Base here and here.