Flash 0-day exploit found in Hacking Team’s leaked data exploited by criminals

Human rights and privacy activists and journalists are actively reviewing the data stolen in the Hacking Team breach.

Reporters of The Intercept have concentrated on going through the leaked emails and have revealed the company’s dealings with many countries with dubious human rights records.

These recent discoveries have spurred Marietje Schaake, a Dutch member of the European Parliament, to ask that the European Commission investigate whether Hacking Team has violated EU sanctions regimes by selling its Remote Control System malware to the Sudanese and Russian governments.

Hacking Team’s spokesman Eric Rabe has been repeating the company’s mantra to various media outlets: we didn’t do anything illegal or unethical. He claims that Hacking Team will recover from this breach, and that they believe that the attack was mounted by a nation state or a criminal gang, and not by a lone activist.

In the meantime, security researchers and malicious actors have also been going through the leaked data, and have discovered previously unknown software vulnerabilities that have been exploited by the company to compromise the targets’ machines.

One of the flaws is a zero-day (CVE-2015-5119) that affects Adobe Flash Player 18.0.0.194 and earlier versions for Windows, OS X and Linux, and can be exploited by attackers to take control of the affected system.

Researcher Kafeine warns that it has already been added to the Angler, Nuclear Pack and Neutrino exploit kits.

Adobe has published a security advisory on Tuesday, announcing that the fix for it will be made available on Wednesday. In the meantime, users can protect themselves by disabling Adobe Flash on their computers and browsers (Symantec offers simple instructions on how to perform the latter on IE, Firefox and Chrome), or by removing Adobe Flash altogether.

Another one is a zero-day privilege escalation vulnerability affecting the Windows kernel. Microsoft does not find the flaw to be critical, as it can not be used on its own to take over a target’s PC, but is working on a fix.

There are also reports about an exploit for a vulnerability in SELinux, a Linux kernel security module that supports access control policies, but its existence is yet to be confirmed by other security researchers.

UPDATE: Adobe has released a patch.