Leaks open up window on zero-day and cybercrime-as-a-service markets
What happens when spyware makers spy on their own customers?
CITIZENS and civil advocates may be reeling from the revelations that various governments, including those of Malaysia and Singapore, were using spyware from Milan-based Hacking Team, whose customers also include some of the most repressive regimes in the world.
But just as disturbing is the number of highly-prized exploits Hacking Team used to inject its spyware into devices.
“[This] ranges from a slew of existing exploits against Microsoft’s PowerPoint, Excel and Word. Depending how much was paid, [Hacking Team] was even able to customise the attack vector based on the target scenarios,” F-Secure security advisor for Asia Goh Su Gim told Digital News Asia (DNA) via email.
Adobe’s Flash Player browser plugin had at least three zero-day vulnerabilities that were only discovered after documents from Hacking Team were made available online by unknown hacker(s).
Adobe has since moved to patch two of the vulnerabilities, and is working on patching the third.
However, browser makers such as Mozilla have banned the use of Flash, adding all versions of the plugin – including the most recent release – to the blocklist for its Firefox browser.
“All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues,” Mozilla told users in a blog post.
In a Threatpost report, it was also disclosed that Hacking Team had an enterprise developer certificate from Apple, allowing it to build OS X and iOS applications and distribute them internally. Apple has since revoked Hacking Team’s certificate.
“At this point, based on our detection systems, we have seen an increased use of exploits … that contain the zero-day [vulnerabilities] released. It shows how fast hackers will jump on a ‘freebie’ zero-day [exploit] that could affect so many Adobe Flash plugins,” said F-Secure’s Goh.
A zero-day vulnerability is one that its vendor is unaware of, and has not developed a patch for.
The exploit ecosystem
The leaked Hacking Team documents have also opened up a window into the nature of exploit sales, how they’re negotiated, and how they’ve been kept in check by cybersecurity protections.
In an extensive feature by Kim Zetter in Wired magazine, based on information revealed in leaked Hacking Team email correspondence, it was reported that in 2014, the Italian company attended the SyScan conference in Singapore for the specific purpose of recruiting exploit developers to work directly for it and bypass the problem of reluctant sellers.
“They also thought it would help them avoid paying middlemen resellers who they felt were inflating prices,” wrote Zetter.
“The strategy worked. Hacking Team met a Malaysian researcher named Eugene Ching, who decided to quit his job with D-crypt’s Xerodaylab and go solo as an exploit developer under the business name Qavar Security.
“Hacking Team signed a one-year contract with Ching for the bargain price of just US$60,000. He later got a US$20,000 bonus for one exploit he produced, but it was a valuable exploit that … could have sold for US$80,000 alone.
“They [Hacking Team] also got him to agree to a three-year non-compete, non-solicitation clause. All of which suggests Ching didn’t have a clue about the market rates for zero days.
“Ching’s talents weren’t exclusive to Hacking Team, however. He apparently also had a second job with the Singapore Army testing and fixing zero-day exploits the military purchased, according to one email,” the Wired report stated.
Since the breach, Hacking Team has asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s ‘crisis procedure,’ it could have killed their [customers’] operations remotely.
A report by Lorenzo Franceschi-Bicchierai for Motherboard stated that Hacking Team in fact has “a backdoor” into every customer’s software, giving it the ability to suspend or shut down its spyware – a capability that customers were not told about.
“To make matters worse, every copy of Hacking Team's Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it,” said the Motherboard report.
F-Secure’s Goh said he was not surprised that such a sophisticated and advanced spyware had a ‘kill switch’ in case of a breach.
“Perhaps the kill switch may have been the most important panic button, with the source code available – over time, all the infected devices could gradually point themselves to which governments are spying on them.
“In fact, it [Hacking Team] has moved in very fast, from the moment the dump went public, to inform its customers to kill and remove all remnants of its RCS (Remote Control System), and we have not seen any detection since then,” he said.
Who spies on the spy?
The biggest question for nation-state spyware customers to come out of this incident, observed Goh (pic above), is ‘How much you trust your spyware vendor?’
“If it [Hacking Team] can create spyware for the government, it most likely can spy on how that ‘spying’ mission is going. So the ‘spy-er’ became the ‘spy-ee,’ with a backdoor to your backdoor,” he added.
Goh said that from now on, government and law enforcement agencies would definitely carefully review which spyware contractors they are buying from, and how reliable they are in protecting their [customers’] interests.
“Of course, the more powerful governments may just resort to building their own spyware,” he added.
In mid-July, more than a week after news of the breach first broke, Hacking Team chief executive officer David Vincenzetti issued a statement that “important elements” of the company’s source code were not compromised in this attack, and remain undisclosed and protected.
“We have already isolated our internal systems so that additional data cannot be exfiltrated outside Hacking Team. A totally new internal infrastructure is being build [sic] at this moment to keep our data safe,” Vincenzetti said.
The company also announced that a whole new version of its RCS software is due in the Fall, and dismissed the recent breach at this point in time, claiming that the leaks are now “obsolete because of [a] universal ability to detect these system elements.”
It remains to be seen how well the company will fare when the new version of its software hits the market, and whether it can ride out the negative exposure sparked by the breach.
Next Page: The industry fallout, and the new world disorder