The aftermath of the Hacking Team attack raised legitimate questions about the controversial Italian surveillance software vendor’s long-term viability. With reams of sensitive internal data and intellectual property posted online, how could the company survive?
For now, however, the company seems defiant that it will press on. Chief operating officer David Vincenzetti today released a statement that Hacking Team will deliver rebuilt versions of its internal infrastructure and Remote Control System product to replace intellectual property that was dumped online more than a week ago after an earlier breach.
“We have already isolated our internal systems so that additional data cannot be exfiltrated outside HackingTeam,” Vincenzetti said. “A totally new internal infrastructure is being [built] at this moment to keep our data safe. Of course, our top priority here has been to develop an update to allow our clients to quickly secure their current surveillance infrastructure. We expect to deliver this update immediately. This update will secure once again the ‘Galileo’ version of Remote Control System.”
Vincenzetti said that version 10 of RCS will be available in the fall; RCS is the monitoring system sold to law enforcement and governments worldwide. Despite company policy stating the contrary, invoices and sales receipts found in the post-breach data dump show that Hacking Team sold RCS to sanctioned countries run by oppressive governments, such as Sudan and Ethiopia. Hacking Team said it has ended its business relationships with these countries.
“This is a total replacement for the existing ‘Galileo’ system, not simply an update,” Vincenzetti said. “Of course, it will include new elements to protect systems and data considering the impact of the attack against HackingTeam.”
Today’s announcement comes on the heels of another interesting weekend as the consequences of the breach continue to sort themselves out. Late Friday night, Adobe announced that it would this week patch two more zero-day vulnerabilities found in its Flash Player. CVE-2015-5122 and CVE-2015-5123 were uncovered by FireEye and TrendMicro and slipstream/RoL respectively. Similar to the first Flash zero-day found almost immediately, these two are use-after free vulnerabilities that when triggered by an exploit allow attackers to gain control over the machine.
CVE-2015-5122, disclosed to Adobe by FireEye, is an ActionScript 3 opaqueBackground use-after-free bug, while CVE-2015-5123 is a BitmapData use-after free bug. According to the DHS CERT, both bugs can be exploited by an attacker tricking a visitor into landing on a website hosting an exploit.
Exploit kit expert and security researcher Kafeine said the zero day discovered by FireEye has already been integrated into the Angler Exploit Kit, as well as the Metasploit Framework. The first zero-day uncovered in the hack was also quickly incorporated into popular exploit kits.
A separate privilege escalation zero-day vulnerability in the Windows kernel was also discovered in the Hacking Team breach and has yet to be patched. Microsoft is expected to make its scheduled release of security bulletins tomorrow; it is unknown whether a patch for the kernel bug will be released.
Security company Cybereason, meanwhile, published its analysis of some aspects of what’s been disclosed, noting some comparisons between Hacking Team’s tactics, and those of the APT group behind Flame.
“Flame’s [command and control] server interface mimicked a news and adwords service, offering its ‘customers’ – the term they used to refer to targets – a link to an ‘ad hosting’ server, which then installed the malware,” Cybereason said in its report. “Many of its commands and protocols used news-related jargon to continue to fool detection tools and security analysts, and Hacking Team’s tactics followed the same strategy.”
The company said that targets of entities using Hacking Team’s RCS tool would be phished and redirected to exploit sites or watering hole attacks, where if the target machine passed certain checks, it would be fed a Flash exploit to take over the machine that also included an RCS agent. One victim in Egypt, Cybereason said, was using a version of Google’s Chrome browser that was updated on June 22 and exploited using a Flash attack six days later.
“This is both important, and amusing, considering Chrome is marketed as the most secure browser for the average user, but they were able to exploit it in a matter of days after the most recent update at the time,” Cybereason said in its report.
Hacking Team, meanwhile, said that some of its system elements exposed in the attack are obsolete because they are now detectable.
“Today we believe it is extremely unlikely that this obsolete code can be used to surveil cell phones, mobile devices or computer communications,” Vincenzetti said. “However, important elements of our source code were not compromised in this attack, and remain undisclosed and protected.”