Zero Day Risks and the Return of Hacking Team

There are basically two kinds of threats organizations and users face today: the ones that security vendors and threat researchers know about, and those they don’t. The ones we know about get vendor patches, signatures are updated across a variety of security tools in order to detect them, and behaviors are documented in order to detect and disrupt the more sophisticated ones. People who are affected by these sorts of attacks usually either don’t have the right security tools deployed in the right places, or they aren’t practicing adequate cyber hygiene

“Zero Day” exploits are the ones we don’t know about yet. All traffic in a network falls into one of three categories: known good traffic (such as IT-approved applications) that we permit to move across the network in approved ways, known bad traffic (the stuff detected by traditional security tools) that we block, and unknown traffic, (which is usually the majority of traffic on a network) that we ought to be keeping an eye on, but which in reality we hardly ever do. Zero day exploits fall into this latter category, which means they can be used to successfully attack those systems that over rely on signature-based security and patching.

Fifteen or so years ago, zero days were hard to come by. Threat researchers certainly never saw zero day exploits circulating through the cyber crime ecosystem. Malicious adversaries kept them close to the vest, and only used them for specific targeted attacks. Many tended to be owned by nation state actors and highly skilled individuals for things like cyber surveillance, data interception, and the monitoring of electronic communications. So, unless you worked for a cyber espionage agency or criminal enterprise, being a zero day exploit creator was a hard way to make a living. 

Zero Day Exploits on the Rise

Fast-forward to today, and things have changed dramatically. Some skilled zero day researchers now earn significant money, and have a variety of mature markets they can sell their skills and research to. These include:

White Hat Markets: There are a number of bug bounty programs that will pay for good research. In addition to generic ones, such as GitHub or BugCrowd, a growing number of vendors, including big names such as Apple, Microsoft, and Facebook, and even government agencies such as the Pentagon, now offer bounties to researchers who can detect and document bugs and system flaws. Some programs pay out as much as $200,000+ for an especially good exploit. 

In addition, legitimate threat research companies offer zero-day feeds to their customers, which, of course, they don’t make public. That’s because a zero day has a very short self-life once it’s exposed, which also dictates the price.  At the same time, an interested party, such as a surveillance company or government, will pay top dollar for an exploit but they want the exclusive rights to it. They don’t want someone else gaining access to it, because if they do the value of the service they provide diminishes dramatically. 

Grey Hat Markets:  In addition to the vendor programs and legitimate companies that offer Zero Day bounties, there are also “Zero Day Brokers” that will buy your zero day research for their customers. However, these brokers keep the buyer and seller’s identities anonymous. While this can sometimes be a good thing, there is also the possibility that the buyer is a hostile nation state, an authoritarian government, a cyber criminal enterprise, or even a terrorist group. The seller has no control over what the end purchaser will do with that exploit, and needs to accept the possibility that in addition to it being used to make a product or systems safer, it could also be used in a nefarious way that could cause harm to others.

Black Hat Black Markets:  Of course, if you have no scruples, then you can always sell your exploits to the black market. In this growing marketplace, it’s inevitable that some of these zero day exploits will be exposed to the masses. Which is part of the reason why threat researchers have been able to confirm that that the creation and distribution of zero days by cybercriminals is on the rise.

Some are Built, but Many are Stolen

While some of these exploits are home grown or bought from independent researchers, a growing number of them have been stolen from professional organizations. A recent example is from the group known as Shadow Brokers, which infamously compromised a cache of zero days that they claim were owned by the NSA. Many threat actors use one of these exploits, known as Eternal Blue, to spread their threats faster. A famous is the Wannacry attack, and it is now showing up in the new Wannamine exploit, which is a crypto-jacking threat.  

The Return of Hacking Team

Another great example of this was the cyber surveillance company known as Hacking Team. They were a legitimate company out of Italy selling surveillance software to law enforcement and governments. Their flagship software tool, known as the Remote Control System (RCS), used zero day exploits to extract files from a targeted device, intercept emails and instant messaging, and even remotely activate a device’s webcam and microphone. Ironically, the company was breached in 2015, and many of their zero days were leaked to the cybercrime eco-system. Within days, we saw these exploits popping up in the wild.  

Interestingly, after the Hacking Team was compromised we did not hear much from them, and it was assumed that they had gone out of business. But now it seems as though they have put the band back together, and are selling their zero day-based wares under another name. Threat researchers recently identified samples newly compiled versions of the Hacking Team’s original spyware that can be traced back to a single organization, with signed digital certificates issued to the Hacking Team’s original co-founder. Since that time, FortiGuard Labs has discovered an additional 19 unique samples not covered by the ESET report. Like those originally reported, the majority of these samples were protected with VMProtect, which was purposely done to increase the time and effort of reverse engineering in order to thwart analysis.

Stopping Zero Day Attacks Requires an Integrated Solution

Zero day exploits continue to be a challenge for many organizations. Responding to them requires an integrated approach to security that combines traditional protections with ATP (Advanced Threat Protection) solutions that include distributed sensors and advanced behavioral analytics to detect anomalous traffic and applications, sandboxing solutions to detonate and analyze unknown threats, and solutions interconnected through a common security fabric so all deployed security solutions can be simultaneously updated with new threat intelligence, and to coordinate resources to effectively disrupt any zero day exploits detected anywhere along the potential attack chain, from endpoints to the cloud.

Solutions:

The samples discovered by FortiGuard Labs are all detected using the following signatures:

W32/Agent.I!tr

W32/CrisisHT.F!tr

W32/CrisisHT.H!tr

W32/CrisisHT.I!tr

W32/CrisisHT.J!tr

W32/CrisisHT.L!tr

W32/CrisisHT.N!tr

 

IOCs:

SHA-256                                                                          Metadata

80d2b6d8d9962c0010dc2957a37b5fae3aec2901d45dd6bbea26b27b3b2c5c77

SlimDrivers (2.3.1.10)

7d435d4cac95709a845a23cb08211ccb478d0a3563ae0e8d69534d2155a0cb2d

SlimDrivers (2.3.1.10)

d63e5c90edc054f7e1402b190f78ea9b578d5b1ea83ce566eb3cae67da426929

Toolwiz Care 3.1.0.0

45866f4dcc389ca8ac1257e5e83a279f82ec1498adc42d8481845117dea9494c

Toolwiz Care 3.1.0.0

15b396ee59739d8bb1f0399c5a713f0a10320319280a473a52d84f5f03aec02c

Toolwiz Care 3.1.0.0

d4ee05d9b9ce68924a53abbf90671f999ca5db3e73c709ef55d3d276a88af25d

Advanced SystemCare 9 (9.3.0.1121)

35d801b0a620fa8dc7c5ef68d9ab84f34c54b776e63b342fe4d1fa202b06eb14

Advanced SystemCare 9 (9.3.0.1121)

a135e594fa418a228a0534408ef41bea27cb42d53482e980d89ffc9c810a314e

Advanced SystemCare 9 (9.3.0.1121)

2707a280e2b8e9aef603a6769d6fb2606198276b6176250ac520b9890140d1ac

Advanced SystemCare 9 (9.3.0.1121)

bfe79de7e5f558741041eaea872ed83e4817c636d57068a95a0ec8150d2b59ce

Advanced SystemCare 9 (9.3.0.1121)

3fdb9f47c3fac46b0afa343d4d13391d459848da904be8e044b1c18bcdcade69

Advanced SystemCare 9 (9.3.0.1121)

c77674f26ebb17bb3910dd101c653ba71d57e7f8360947e1fdf5d80562e093b2

Advanced SystemCare 9 (9.3.0.1121)

18b0cfbfdc1f5df75ce89224796010c6bb2817f286ec3c5e873c940ea4f7a50d

Advanced SystemCare 9 (9.3.0.1121)

c1dcd6785466bef95657251ce73e160950c2b69a0f4c6a0d14de78770ce236d7

Advanced SystemCare 9 (9.3.0.1121)

d2be8d16abb24fcd8367d2c9c87aff2f6b83a9590a716dadb3798556297da542

Advanced SystemCare 9 (9.3.0.1121)

20a90f65ed0032cac0a18bfd4c7d2302992cb146632a5900d567b339fa2585d0

Advanced SystemCare 9 (9.3.0.1121)

bc7e174a41407ba4d325ebecf89118758df9dd914267085de2741cefa4f97cc3

Advanced SystemCare 9 (9.3.0.1121)

e27be8a56ef439cfd55312a06452d7f2b5477716f1a98aac4c9194eb9dc781bb

Advanced SystemCare 9 (9.3.0.1121)

b7d5ac268a9b23515b801600966fa5d8630f97fa6edb2db8df21a4db79f6dc9d

Advanced SystemCare 9 (9.3.0.1121)

 

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.



*** This is a Security Bloggers Network syndicated blog from Fortinet All Blogs authored by Fortinet All Blogs. Read the original post at: http://feedproxy.google.com/~r/fortinet/blogs/~3/0QOJuOP5S4Y/zero-day-risks-and-the-return-of-hacking-team.html