Analysts Say Hacking
Team Breach Creates ‘One-Stop Shop for Badness’
July 21, 2015
An attack on an Italian cyber-security firm is having
far-reaching implications and Microsoft is now finding itself on the defensive
trying to patch holes that are letting in the worst kind of malware.
On July 6, a company called Hacking Team, which provides
spyware and other surveillance technology to government agencies and law
enforcement around the world, ironically could not prevent a team of hackers
from invading their own databases. The attackers stole massive amounts of
sensitive information, including documents identifying weaknesses in software
programs like Internet Explorer, and made all of this information public.
“You could say that they got hacked and now the bad guys
know how to get the good guys,” said a Wapack Labs analyst who is currently
monitoring the situation.
These weaknesses in software, called Day Zero
Vulnerabilities, allow hackers (including Hacking Team) to use exploitative
software to find their way into computers and access private information such
as user names and passwords. From there, the hackers can let themselves into
the victim’s personal cyberspace, accessing everything from contact lists to
credentials for financial accounts to Facebook profiles.
While developing technology to allow their clients in the
US, Egypt, Iran and other countries to spy on criminals, political opponents,
and ordinary citizens, Hacking Team identified a “Zero Day” Vulnerability - a vulnerability not previously known, in
Internet Explorer 11 that opened a door into computers running on Windows. When
cyber-rogues turned the tables on Hacking Team and slipped into the company’s
seemingly secure network, the Internet Explorer vulnerability that Microsoft
was apparently unaware of was up for grabs to hackers around the globe.
“It’s one thing for a company
to work with governments to help track bad actors through cyberspace,” said a
Wapack Lab analyst, “it’s another for one to collect these exploits and become
a one-stop shop for badness.”
The IE11 vulnerability has resulted in a particularly
insidious type of invasion of Windows computers using remote code execution
malware. Once inside a system, remote code execution allows hackers access to
computers and gives them to make changes within the system, no matter where the
owner is located in the world.
Remote code execution malware is difficult for users to
detect because it circumvents normal security settings, anti-virus and
anti-malware programs, and memory protection technologies.
On June 9, Microsoft was contacted by Vectra Threat Labs
that the day zero vulnerability in Internet Explorer was being exploited by
hackers using remote code execution malware to victimize Windows users. Five
days later, Microsoft presented an update to patch the weak spot named MS15-065
CVE-2015-2419. But if users aren’t downloading the patch, they face continued
threats from hackers taking over their computers.
This recent attack on Microsoft using information stolen
from Hacking Team is just the tip of the iceberg. More than 450GBs of data was
stolen from the firm and hackers from every corner of the world are currently
sifting through bounty, looking for vulnerabilities like the one used to attack
Internet Explorer. Though Hacking Team purports to be fleshing out holes in
software to benefit law enforcement and government agencies, from an economic
standpoint the company could profit exponentially if it were to sell its
information to both sides of a conflict.
As Wapack Labs analysts continue to monitor the global
implications of Hacking Team’s security weaknesses as they unfold, they will be
working to determine just whose side Hacking Team is really on. Is the firm
selling information about software vulnerabilities to a government, and then
offering a head’s up about those vulnerabilities to the parties the government
intends to target?
If so, Hacking Team certainly would not be the first high
tech company to engage in profiteering by selling technology to both sides of a
conflict. In 2001, journalist and historian Edwin Black reported that IBM’s
German-based subsidiary profited wildly by selling its punch card data
collection and processing equipment – the precursor to the modern computer – to
the Nazis in the years leading up to the war. IBM continued to provide
technology to the Nazis even after the US joined the Allies to oust the Third
Reich. At the same time, IBM was selling the same equipment to Allied
governments. However, while the Allies were using the equipment to track the
movement of troops, supplies and equipment, the Nazis were using it to record
and improve the deadly efficiency of the concentration camp system.
Technology has come a long way since the punch card, but
turning a profit by selling technological weapons to oppressive governments,
and their foes, may have been brought into the modern era by companies like
Hacking Team.
Regardless of their intent, which Wapack Labs analysts will
continue to try to determine, Hacking Team has aided and abetted the enemies of
their clients by failing to protect their own data.
About Wapack Labs
Wapack Labs, located in the
technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence
organization supporting the Red Sky Alliance, the FS-ISAC, and individual
organizations by offering expert level targeted intelligence analysis answering
some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers,
and analysts design and deliver transformational cyber-security analysis tools
that fuse open source and proprietary information, using deep analysis
techniques and visualization. Information derived from these tools and
techniques serve as the foundation of Wapack Labs’ information reporting to the
cyber-security teams of its customers and industry partners located around the
world.
For
questions or comments regarding this report, please contact the lab directly by
at 603-606-1246, or feedback@wapacklabs.com.
