Hacking Team Adobe Flash Zero-Day Exploited By Money-Hungry Criminals - Forbes
- Get link
- X
- Other Apps
In recent years, crypto luminary Bruce Schneier has noted that today’s surveillance tools are tomorrow’s cybercriminal playthings. Hacking Team has offered proof of that, as one of its zero-days – unpatched and previously-unknown software vulnerabilities – is being exploited by crooks.
The Adobe Flash zero-day uncovered in the trove of 415GB data leaked by the Hacking Team hacker has been packaged into “exploit kits”. Such kits sold for as much as $15,000 and used to launch attack code on web users’ PCs or phones as they peruse the internet. Two of the most popular kits, Angler and Neutrino, have adopted the Flash flaw. Anyone who visits a site or opens a file in which the exploit kits are hidden risks being infected with malware and having their data stolen, as Adobe has not yet provided a patch.
The Adobe Flash zero-day uncovered in the trove of 415GB data leaked by the Hacking Team hacker has been packaged into “exploit kits”. Such kits sold for as much as $15,000 and used to launch attack code on web users’ PCs or phones as they peruse the internet. Two of the most popular kits, Angler and Neutrino, have adopted the Flash flaw. Anyone who visits a site or opens a file in which the exploit kits are hidden risks being infected with malware and having their data stolen, as Adobe has not yet provided a patch.
The software giant said it was aware of the issue, affecting Flash across Windows, Macintosh and Linux, noting that “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system”. It expects to fix the issue today, according to an advisory.
Researchers from security company Trend Micro said the CryptoWall 3.0 ransomware, which locks victims’ computers and demands money to relinquish control of the machine, was being spread by the Angler kit Adobe exploit. Independent researcher Kafeine said the addition of the exploit into criminal caches took just a ”matter of hours”.
Hacking Team was particularly proud of its Flash flaw, claiming in the ‘readme’ file for the vulnerability it was “the most beautiful Flash bug for the last four years”. But the Computer Emergency Response Team (CERT) at Carnegie Mellon’s Software Engineering Institute didn’t give it a 10 out of 10 vulnerability rating, instead giving it a moderate-to-severe rating of 7.5.
Hacking Team was particularly proud of its Adobe Flash exploit
The CERT recommended users disable Flash in their browser or enable Click-to-Play features so exploits can’t be launched without user interaction.
The Adobe vulnerability is thus far the only confirmed zero-day from the Hacking Team files, though Google researcher Tavis Ormandy found an exploit for anti-virus software from ESET. Ormandy recently detailed his discovery of a zero-day in ESET, which was subsequently fixed by the firm.
Google researcher Tavis Ormandy finds possible ESET anti-virus exploit in Hacking Team files.
Other files indicated Hacking Team was trying to find ways of exploiting most commonly-used operating systems, including Windows, Linux, Mac OS X, iOS and Android. In particular, the Italian government contractor appeared to be trying out backdoors in the Newsstand application for iOS and attacks on a large range of Android phones, including Samsung Galaxy and Google Nexus devices.
Unlike many other vulnerability hunters, Hacking Team doesn’t disclose its findings to the vendors, leaving it open to criticism that it is failing to help protect users of popular software, even though it has the knowledge and the power to help.
Read the whole story
· · ·
- Get link
- X
- Other Apps
Comments
Post a Comment