Hacking Team Flash exploit leak revealed lightning reflexes of malware toolkit crafters
Less than 24 hours from release to attack
Black Hat 2015 When the Italian surveillanceware maker Hacking Team got hacked last month, the intruders unwittingly set the groundwork for a very interesting research project.
Tracking the time from a vulnerability being found in some software to seeing it exploited in the wild is tricky – malware writers don't often publicize their releases. But when 400GB of swiped Hacking Team files were dumped online the vulnerabilities the biz was exploiting to infect PCs were open for all to see.
The files were shared across the internet on July 6, and a Flash exploit, CVE-2015-5119, was discovered and tweeted out by security researcher webDEViL. Included in the leaked Hacking Team documents was a cheat sheet on how to use the exploit. Armed with these details, the speed at which online scumbags wielded the exploit against vulnerable systems was impressive – and depressing.
The next day, Jerome Segura, senior security researcher at Malwarebytes, caught the first sight of attack code for the Flash flaw in the Neutrino exploit kit. About 13 minutes later, it was spotted in the latest issue of the Angler exploit kit.
Adobe pushed out an update to fix the bug on July 8, but by then three exploit kits were exploiting the programming blunder, and this number doubled by July 10 as attackers swarmed over those too slow to patch.
"This particular zero day continues to illustrate the trend of shorter and shorter times between publicly available information of the existence of a zero day and integration into exploit kits," said Jean Taggart, security researcher at Malwarebytes.
"Our timeline shows the speed at which zero days are weaponized, and highlights which exploit kit makers are the most adept at this. It also clearly demonstrates the need for a layered defense that includes addressing the challenges that zero days bring to the table." ®