Hacking Team malware in Exploit Kits
The source code for Hacking Team's powerful surveillance software includes at least three zero-day vulnerabilities and one of these has already been integrated into exploit kits being sold by cybercriminals.YouTube/Hacking Team

Hours after being leaked, the exploits used by Hacking Team's lawful surveillance tools are being used by cybercriminals in at least three exploit kits.

The massive leak of data stolen from Hacking Team has seen the Italian company come in for a lot of criticism for selling its powerful tools to countries known for human rights abuses, but the leak also contained the source code for its surveillance software and criminals have been working fast to use that code to bolster their own tools.

Security firm Trend Micro has found at least three zero-day exploits (previously unknown vulnerabilities in software) contained within the Hacking Team data. One of the zero-days exploits a vulnerability in the Windows kernel, while the other two relate to Adobe's Flash.

What is Hacking Team?

Italian company Hacking Team sells sophisticated spying software to governments and law enforcement agencies around the world.

They have been criticised for selling their services to repressive regimes with questionable human rights records in countries such as Sudan, Bahrain and Kazakhstan.

On 5 July a trove of 400GB of data stolen from the company was posted online by an unknown hacker. This included sensitive documents, government tender details, client invoices, internal emails, and crucially, source code and explicit details on how the mass surveillance software operates.

One of the Flash vulnerabilities (CVE-2015-0349) has already been patched but the other (CVE-2015-5119) remains unpatched, and within hours of it being discovered, criminals selling exploit kits have integrated the exploit into their own tools.

"The most beautiful Flash bug for the last four years"

According to independent security researcher Kafeine, the exploit has been included in three separate exploit kits - Angler, Neutrino and Nuclear Pack.

Exploit kits are pieces of software which can be purchased (typically on the dark web) and automate the spread of malware by utilising multiple vulnerabilities in consumer software. One of the defining characteristics of an exploit kit is that it can be used easily by people without much technical expertise.

According to a file within the 400GB of leaked Hacking Team data, the exploit can affect Adobe Flash Player (up to version 18.0.0.194) and affects popular web browsers such as Internet Explorer, Chrome, Firefox and Safari.

Adobe has responded to the leak and said that it hopes to have a patch ready for the vulnerability by Wednesday (8 July) - though as many people don't typically update on a regular basis, this vulnerability is likely to continue to affect a large number of users.

Hacking Team calls the exploit "the most beautiful Flash bug for the last four years" in internal documents detailing how it works, and it was these same documents which are likely to have helped the fast integration of the vulnerability.

"Immediate weaponisation in the wild"

Malwarebytes' Jerome Segura, reporting the use of the zero-day exploit in the Neutrino exploit kit, said: "This is one of the fastest documented case of an immediate weaponisation in the wild, possibly thanks to the detailed instructions left by Hacking Team."

Hacking Team even provides proof-of-concept code alongside the Flash vulnerability which shows that a malicious Flash file downloaded from the internet (in this case a Calculator application) could be arbitrarily opened on a victim's computer.

Speaking to IBTimes UK immediately following the leak, Craig Young, a security researcher with Tripwire, predicted the fast integration of these zero-day flaws:

"It would be surprising if we don't very quickly start seeing underground malware authors branching and repackaging the Hacking Team malware and selling it without restriction. A more responsible action may have been for the hackers to release a document dump while sharing the malware source code only with reputable security vendors for the purpose of creating detection routines."