KUALA LUMPUR, Aug 4 — Citizens and civil advocates may be reeling from the revelations that various governments, including those of Malaysia and Singapore, were using spyware from Milan-based Hacking Team, whose customers also include some of the most repressive regimes in the world.
But just as disturbing is the number of highly-prized exploits Hacking Team used to inject its spyware into devices.
“(This) ranges from a slew of existing exploits against Microsoft’s PowerPoint, Excel and Word. Depending how much was paid, [Hacking Team] was even able to customise the attack vector based on the target scenarios,” F-Secure security advisor for Asia Goh Su Gim told Digital News Asia (DNA) via email.
Adobe’s Flash Player browser plugin had at least three zero-day vulnerabilities that were only discovered after documents from Hacking Team were made available online by unknown hacker(s).
Adobe has since moved to patch two of the vulnerabilities, and is working on patching the third.
However, browser makers such as Mozilla have banned the use of Flash, adding all versions of the plugin – including the most recent release — to the blocklist for its Firefox browser.
“All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues,” Mozilla told users in a blog post.
In a Threatpost report, it was also disclosed that Hacking Team had an enterprise developer certificate from Apple, allowing it to build OS X and iOS applications and distribute them internally. Apple has since revoked Hacking Team’s certificate.
“At this point, based on our detection systems, we have seen an increased use of exploits... that contain the zero-day [vulnerabilities] released. It shows how fast hackers will jump on a ‘freebie’ zero-day [exploit] that could affect so many Adobe Flash plugins,” said F-Secure’s Goh.
A zero-day vulnerability is one that its vendor is unaware of, and has not developed a patch for.
The exploit ecosystem
The leaked Hacking Team documents have also opened up a window into the nature of exploit sales, how they’re negotiated, and how they’ve been kept in check by cybersecurity protections.
In an extensive feature by Kim Zetter in Wired magazine, based on information revealed in leaked Hacking Team email correspondence, it was reported that in 2014, the Italian company attended the SyScan conference in Singapore for the specific purpose of recruiting exploit developers to work directly for it and bypass the problem of reluctant sellers.
“They also thought it would help them avoid paying middlemen resellers who they felt were inflating prices,” wrote Zetter.
“The strategy worked. Hacking Team met a Malaysian researcher named Eugene Ching, who decided to quit his job with D-crypt’s Xerodaylab and go solo as an exploit developer under the business name Qavar Security.
“Hacking Team signed a one-year contract with Ching for the bargain price of just US$60,000 (RM253,564). He later got a US$20,000 bonus for one exploit he produced, but it was a valuable exploit that... could have sold for US$80,000 alone.
“They (Hacking Team) also got him to agree to a three-year non-compete, non-solicitation clause. All of which suggests Ching didn’t have a clue about the market rates for zero days.
“Ching’s talents weren’t exclusive to Hacking Team, however. He apparently also had a second job with the Singapore Army testing and fixing zero-day exploits the military purchased, according to one email,” the Wired report stated.
Since the breach, Hacking Team has asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their (customers’) operations remotely.
A report by Lorenzo Franceschi-Bicchierai for Motherboard stated that Hacking Team in fact has “a backdoor” into every customer’s software, giving it the ability to suspend or shut down its spyware — a capability that customers were not told about.
“To make matters worse, every copy of Hacking Team's Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it,” said the Motherboard report.
F-Secure’s Goh said he was not surprised that such a sophisticated and advanced spyware had a “kill switch” in case of a breach.
“Perhaps the kill switch may have been the most important panic button, with the source code available — over time, all the infected devices could gradually point themselves to which governments are spying on them.
“In fact, it (Hacking Team) has moved in very fast, from the moment the dump went public, to inform its customers to kill and remove all remnants of its RCS (Remote Control System), and we have not seen any detection since then,” he said.
Who spies on the spy?
The biggest question for nation-state spyware customers to come out of this incident, observed Goh, is “How much you trust your spyware vendor?”
“If it (Hacking Team) can create spyware for the government, it most likely can spy on how that ‘spying’ mission is going. So the ‘spy-er’ became the ‘spy-ee,’ with a backdoor to your backdoor,” he added.
Goh said that from now on, government and law enforcement agencies would definitely carefully review which spyware contractors they are buying from, and how reliable they are in protecting their (customers’} interests.
“Of course, the more powerful governments may just resort to building their own spyware,” he added.
In mid-July, more than a week after news of the breach first broke, Hacking Team chief executive officer David Vincenzetti issued a statement that “important elements” of the company’s source code were not compromised in this attack, and remain undisclosed and protected.
“We have already isolated our internal systems so that additional data cannot be exfiltrated outside Hacking Team. A totally new internal infrastructure is being build [sic] at this moment to keep our data safe,” Vincenzetti said.
The company also announced that a whole new version of its RCS software is due in the Fall, and dismissed the recent breach at this point in time, claiming that the leaks are now “obsolete because of [a] universal ability to detect these system elements.”
It remains to be seen how well the company will fare when the new version of its software hits the market, and whether it can ride out the negative exposure sparked by the breach.
Given the high profile nature of the Hacking Team breach and the on-going fallout from the information revealed in the online document dump, DNA asked some security professionals — many of whom had been attending the recent RSA Conference Asia Pacific & Japan (RSAC APJ) 2015 in Singapore — for their take on the longer-term implications for their industry.
Charles Lim, senior industry analyst of the Networking, Information & Cyber Security practice at Frost & Sullivan’s Enterprise ICT unit in Asia Pacific, said that all organisations, including cybersecurity companies themselves, should do a thorough assessment of their security setup.
He said that most solutions in the market currently perform infiltration protection, but from examples such as this, it is also critical to detect and block data exfiltration instances in case a breach occurs.
“We will see more focus in this area, where the paradigm will shift towards preventing consequences — which in this incident, have severe implications for its (Hacking Team’s) clients made up of high-profile regulatory boards across the world.
“Organisations may also look more into assessing the security integrity of their vendors as a best practice before conducting business,” Lim said.
RSA chief technology officer (CTO) Dr Zulfikar Ramzan said that the incident demonstrates how even people with good security can be compromised.
“The folks at Hacking Team understand cybersecurity issues and they were still compromised. It can happen to anyone.
“Part of it has to be that shift away from focusing on detection and being more intelligent about response — I think you can mitigate a lot of the risk that way,” he said.
Jack Chan, security strategist with Fortinet’s FortiGuard Labs, said he believes that in a way, the Hacking Team breach was a good thing for the industry.
“It raises more awareness of what could potentially happen. For example, the dark web is home to a lot of hackers selling malware, and some of them can even guarantee that their malware products can’t be detected.
“It’s become a trade — cybercrime-as-a-service for anyone with the money and motivation to procure,” he added.
RSA’s Ramzan believes the biggest takeaway its customers should take from this incident is that it’s not just about defence ability but mind-set.
“Ultimately, you can’t use yesterday’s mind-set for today’s threat landscape – do that, and you'll have problems tomorrow,” he said.
FireEye CTO Grady Summers said that he wouldn’t defend nor condone the actions of Hacking Team, which has come under criticism for having sold its wares to oppressive regimes around the world.
According to the leaked Hacking Team documents, these regimes include Azerbaijan, Egypt, Ethiopia, Kazakhstan, Nigeria, Oman, Panama, Russia, Saudi Arabia, Sudan, Thailand, Tunisia, Turkey, and Uzbekistan.
“Most of all I feel bad, because you just hate to see anybody in any industry have all their internals exposed, so I am taking a more sympathetic view of the breach,” said Summers.
“It may be fascinating to read but it’s still a crime at the end of the day, and I’d hate to see anybody be a victim of a crime,” he added.
Summers said he believes the people who sell zero-day exploits are now going to be more cautious about it, and that the incident was a reminder to the industry about the need to ‘eat their own dog food’ and practise safe security.
“As this stuff comes more to light about the zero-day market, you start wondering about regulation. There are already some who are calling for it to be regulated the same way the sales of firearms are, which I think is ridiculous.
“Unlike arms manufacturing, zero-days can be dropped from anywhere in the world and are difficult to regulate the same way,” he added.
Blue Coat Systems is no stranger to the type of the controversies which have plagued Hacking Team.
On March 12, 2013, Reporters Without Borders named the company as one of five ‘Corporate Enemies of the Internet’ and “digital era mercenaries” for selling products that have been or are being used by governments to violate human rights and suppress freedom of information.
Asked for his take on the Hacking Team incident, Blue Coat CTO Dr Hugh Thompson said that such incidents have fallen into a predictable pattern, with the Hacking Team breach the latest to emerge.
“It’s amazing how many times in this industry an event has happened that we have said – at the time of the event – that ‘all of time will be demarcated from this point, everything will be post-this and pre-that, that’s how important this event was.’
“We’ve had event, after event, after event...” he said.
Thompson pointed out that previously, one just had to worry about cybercriminals, who were predictable — they would go after higher-value targets versus companies with no value, and “they’re just bored on the weekends.”
Such cybercriminals are profit-driven and logical — and that’s why financial institutions have naturally been the biggest investors in security.
“I’d say that there’s a couple of things that have changed in the last few years, and this attack is an example of it,” said Thompson.
“The first is the introduction of a very different set of threat actors. Since the introduction and rapid growth of hacktivism and nation-state attacks, it’s completely thrown the world on its head in terms of targeting — it’s very difficult to predict who’ll be targeted now.
“The heads of security of water purification plants never had to worry about cybercriminals — they were okay with their firewalls in place... but then suddenly, you have a group of people very interested in what you’re doing,” he added.
Thompson said that there has also been “a couple of weird breaches” that buck the trend, pointing to a rising number of healthcare companies that have been targeted in the past six months.
“Now, that’s a harder type of data to monetise versus credit card information, which has a healthy market.
“But healthcare data... possesses two unique properties: The first is that the data is going to be as important five years from now as it is today, unlike credit card accounts that can get deactivated.
“The other thing is that this data lends itself well to an extortion model, which would be the most logical way to monetise it, via the use of sophisticated ransomware.
“Now that’s the really interesting yet disturbing trend, because you can sit on that data while you build up the infrastructure you need to monetise it, and that data will still be valid three years from now,” he added. — Digital News Asia
This article was first published here.