July 21, 2015
An attack on an Italian cyber-security firm is having far-reaching implications and Microsoft is now finding itself on the defensive trying to patch holes that are letting in the worst kind of malware.
On July 6, a company called Hacking Team, which provides spyware and other surveillance technology to government agencies and law enforcement around the world, ironically could not prevent a team of hackers from invading their own databases. The attackers stole massive amounts of sensitive information, including documents identifying weaknesses in software programs like Internet Explorer, and made all of this information public.
“You could say that they got hacked and now the bad guys know how to get the good guys,” said a Wapack Labs analyst who is currently monitoring the situation.
These weaknesses in software, called Day Zero Vulnerabilities, allow hackers (including Hacking Team) to use exploitative software to find their way into computers and access private information such as user names and passwords. From there, the hackers can let themselves into the victim’s personal cyberspace, accessing everything from contact lists to credentials for financial accounts to Facebook profiles.
While developing technology to allow their clients in the US, Egypt, Iran and other countries to spy on criminals, political opponents, and ordinary citizens, Hacking Team identified a “Zero Day” Vulnerability - a vulnerability not previously known, in Internet Explorer 11 that opened a door into computers running on Windows. When cyber-rogues turned the tables on Hacking Team and slipped into the company’s seemingly secure network, the Internet Explorer vulnerability that Microsoft was apparently unaware of was up for grabs to hackers around the globe.
“It’s one thing for a company to work with governments to help track bad actors through cyberspace,” said a Wapack Lab analyst, “it’s another for one to collect these exploits and become a one-stop shop for badness.”
The IE11 vulnerability has resulted in a particularly insidious type of invasion of Windows computers using remote code execution malware. Once inside a system, remote code execution allows hackers access to computers and gives them to make changes within the system, no matter where the owner is located in the world.
Remote code execution malware is difficult for users to detect because it circumvents normal security settings, anti-virus and anti-malware programs, and memory protection technologies.
On June 9, Microsoft was contacted by Vectra Threat Labs that the day zero vulnerability in Internet Explorer was being exploited by hackers using remote code execution malware to victimize Windows users. Five days later, Microsoft presented an update to patch the weak spot named MS15-065 CVE-2015-2419. But if users aren’t downloading the patch, they face continued threats from hackers taking over their computers.
This recent attack on Microsoft using information stolen from Hacking Team is just the tip of the iceberg. More than 450GBs of data was stolen from the firm and hackers from every corner of the world are currently sifting through bounty, looking for vulnerabilities like the one used to attack Internet Explorer. Though Hacking Team purports to be fleshing out holes in software to benefit law enforcement and government agencies, from an economic standpoint the company could profit exponentially if it were to sell its information to both sides of a conflict.
As Wapack Labs analysts continue to monitor the global implications of Hacking Team’s security weaknesses as they unfold, they will be working to determine just whose side Hacking Team is really on. Is the firm selling information about software vulnerabilities to a government, and then offering a head’s up about those vulnerabilities to the parties the government intends to target?
If so, Hacking Team certainly would not be the first high tech company to engage in profiteering by selling technology to both sides of a conflict. In 2001, journalist and historian Edwin Black reported that IBM’s German-based subsidiary profited wildly by selling its punch card data collection and processing equipment – the precursor to the modern computer – to the Nazis in the years leading up to the war. IBM continued to provide technology to the Nazis even after the US joined the Allies to oust the Third Reich. At the same time, IBM was selling the same equipment to Allied governments. However, while the Allies were using the equipment to track the movement of troops, supplies and equipment, the Nazis were using it to record and improve the deadly efficiency of the concentration camp system.
Technology has come a long way since the punch card, but turning a profit by selling technological weapons to oppressive governments, and their foes, may have been brought into the modern era by companies like Hacking Team.
Regardless of their intent, which Wapack Labs analysts will continue to try to determine, Hacking Team has aided and abetted the enemies of their clients by failing to protect their own data.
About Wapack Labs
Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.
For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or firstname.lastname@example.org.