Leaked Hacking Team Flaw Used in Attacks Before Sunday Doxing

Infamous surveillance technology provider Hacking Team likely sold the recently patched Adobe Flash Player vulnerability to customers before it was breached, as it has been spotted in attacks against Asian targets prior to that date.

The data dump of internal documents, emails and source code allegedly belonging to the Milan-based firm on Sunday featured the flaw, and sparked white hats into action. Soon after, Adobe released a patch for CVE-2015-5119.

However, new data from security vendor Trend Micro shows attacks thought to be exploiting the bug against targets in Japan and Korea as early as 22 June.

It explained in a blog post:

“In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year. Traffic logs indicate the user may have received spearphishing emails with attached documents. These documents contained a URL for the user to visit; this URL led to a site hosted in the United States which contained a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the Hacking Team leak. We noticed that this exploit was downloaded to the user’s machine several times in a week.”

Users visiting the domain hosting the exploit code mainly hailed from Korea, with one located in Japan, the vendor said.

The exploit discovered by Trend Micro’s cloud-based Smart Protection Network was slightly different in structure to the code leaked as part of the Hacking Team data dump in that it featured a malicious payload.

However, Trend Micro confirmed, “we believe this attack was generated by Hacking Team’s attack package and code.”

“From a purely engineering perspective, this code was very well written. Some attackers may be able to learn how to deploy and manage targeted attacks to different victims from the leaked code,” it added.

What’s Hot on Infosecurity Magazine?