In Brief: As a result of a hack at Hacking Team, and the subsequent disclosure of nearly 400 BG of documents and tools, a new zero day targeting all versions of Adobe Flash has been reported in the wild.
Last Sunday, the firm known as Hacking Team was breached. Amid the 400GB of company disclosed from the controversial Italian company were some zero days. These include two Adobe Flash and Windows kernel zero days. One of the Flash zero days is what Hacking Team described on an internal document as “the most beautiful Flash bug for the last four years.”
Adobe has issued an security bulletin for CVE-2015-5119, which affects Windows, Linux, and Apple products. Successful exploitation can result in a crash and remote access to the infected machine.
Adobe has said it is working on an emergency patch, which could come as early as today.
Trend Micro has identified one of the payloads using this zero day is the ransomware Cryptowall 3.0. This is malware that encrypts your entire hard drive, locking the user out of every file until they pay for the encryption key. In the last year, the FBI’s Internet Crime Complaint Center (IC3) has recorded nearly one thousand cases of Cyptowall 3.0, with losses estimated to be around $18 million.
Given the detailed instructions provided by Hacking Team, a weaponized version of the Flash Zero Day is, not surprisingly, already in the wild.
An immediate workaround is to not use Flash. Brian Krebs, from KrebsonSecurity, recently went a month without Flash and experienced few problems with websites. NoScript, a plugin for Mozilla Firefox, will also disable Flash content.
Another the Flash Player vulnerability disclosed in the Hacking Team breach, CVE-2015-0349, has already been patched.
Hacking Team, in its day, provided both offensive and defensive software to governments around the world. The company apparently aided repressive regimes to spy on dissident groups, despite making comments to the contrary. One country that is a customer is the Sudan, which is currently under UN embargo.
Hacking Team developed tools such as the “legal” spyware tool known as Remote Control System, or short, RCS, and marketed under the brand name Galileo. SecureList published details about this tool last year. Motherboard reports that the RCS software is watermarked so everyone with access to the Hacking Team data dump can now find out who operates it and who they’re targeting with it. Hacking Team has asked its customers to stop using the product.
Various sources have identified Phineas Fisher as responsible for the attack on Hacking Team. Phineas Fischer has been associated with an attack on Gamma, the creator of the FinFisher spyware. Phineas Fisher said on his Twitter account he would explain how he attacked Hacking Team ” once they’ve had some time to fail at figuring out what happened and go out of business.”