Cyber-espionage groups starting to use Hacking Team exploits: Kaspersky
By Digital News Asia August 12, 2015
- Used by Darkhotel, famous for infiltrating WiFi networks in luxury hotels
- Group targets CEOs and senior execs, as well as key R&D staff
SOME cyber-espionage groups have started using the tools Milan-based Hacking Team provided to its customers to carry out their own attacks, according to Kaspersky Lab.
This follows the public leak of files belonging to Hacking Team, the Italian company known for selling ‘legal spyware’ to some governments and law enforcement agencies, including those in Malaysia and Singapore.
The leaked files include several exploits targeting Adobe Flash Player and the Windows operating system, Kaspersky Lab said in a statement.
At least one of these has been re-purposed by the powerful cyberespionage actor ‘Darkhotel,’ the company said.
READ ALSO: Soda has more than just a ‘token’ bid to secure mobile devices
Kaspersky Lab said it has discovered that Darkhotel, an elite spying crew uncovered by its experts in 2014 and famous for infiltrating WiFi networks in luxury hotels to compromise selected corporate executives, has been using a zero-day vulnerability from Hacking Team’s collection since the beginning of July, straight after the notorious leak of Hacking Team files on July 5.
Not known to have been a client of Hacking Team, the Darkhotel group appears to have grabbed the files once they became publicly available.
This is not the group’s only zero-day – Kaspersky Lab estimates that over the past few years it may have gone through half a dozen or more zero-days targeting Adobe Flash Player, apparently investing significant money in supplementing its arsenal.
In 2015, the Darkhotel group extended its geographical reach around the world while continuing to spearphish targets in North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
Collateral assistance from Hacking Team
Kaspersky Lab said its security researchers have registered new techniques and activities from Darkhotel, a known advanced persistent threat (APT) actor that has been active for almost eight years.
In attacks dated 2014 and earlier, the group misused stolen code-signing certificates and employed unusual methods like compromising hotel WiFi to place spying tools on targets’ systems.
In 2015, many of these techniques and activities have been maintained, but Kaspersky Lab has also uncovered new variants of malicious executable files, the ongoing use of stolen certificates, relentless spoofing social-engineering techniques and the deployment of Hacking Team’s zero-day vulnerability:
- Ongoing use of stolen certificates: The Darkhotel group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them to cheat the targeted system. Some of the more recent revoked certificates include Xuchang Hongguang Technology Co Ltd – the company whose certificates were used in previous attacks performed by the threat actor.
- Relentless spearphishing: The Darkhotel APT is indeed persistent, it tries to spearphish a target and if it doesn’t succeed, returns several months later for another try with pretty much the same social-engineering schemes.
- Deployment of Hacking Team’s zero-day exploit: The compromised website, tisone360.com, contains a set of backdoors and exploits. The most interesting of these is the Hacking Team Flash zero-day vulnerability.
“Darkhotel has returned with yet another Adobe Flash Player exploit hosted on a compromised website, and this time it appears to have been driven by the Hacking Team leak,” said Kurt Baumgartner (pic), principal security researcher at Kaspersky Lab.
“The group has previously delivered a different Flash exploit on the same website, which we reported as a zero-day to Adobe in January 2014.
“Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally.
“From previous attacks we know that Darkhotel spies on CEOs (chief executive officers), senior vice presidents, sales and marketing directors and top R&D (research and development) staff,” he added.
Since last year, Darkhotel has worked hard to enhance its defensive techniques, for example by expanding its anti-detection technology list.
The 2015 version of the Darkhotel downloader is designed to identify antivirus technologies from 27 vendors, with the intention of bypassing them, Kaspersky Lab said.
To learn more, please read the blog post available at Securelist.com. General guidance on mitigating APTs is available in the article How to mitigate 85% of all targeted attacks using 4 simple strategies.
Related Stories:
Hacking Team leaks: We’re not out of the woods yet
What Malaysia bought from spyware maker Hacking Team
Singapore is using spyware, and its citizens can’t complain
Malaysian Govt spyware use unconstitutional, call for action
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.