China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks

A threat actor linked to China has used UEFI malware based on in attacks aimed at organizations with an interest in North Korea, Kaspersky reported on Monday.

read more

As many of the company’s tools and methods have become public knowledge, Hacking Team is preparing to release a completely new surveillance system.

Hackers leaked last week 400GB of emails, documents, software, source code, and exploits stolen from the systems of Italy-based surveillance software maker Hacking Team. In a statement published shortly after the incident came to light, the company stated that the leaked source code allows anyone to deploy its software, including terrorists and extortionists.

In a new statement released on Monday, Hacking Team founder and CEO David Vincenzetti noted that no company has produced surveillance software as comprehensive, easy to use, and powerful as the one offered by Hacking Team. And Vincenzetti seems confident that this is not about to change any time soon.

Some parts of the company’s flagship product, Remote Control System, have been leaked, forcing the company to instruct customers to suspend the use of its solutions. However, Hacking Team says the attackers have not gained access to “important elements” of its source code.

Furthermore, Vincenzetti has pointed out that the exposed systems are “obsolete” by now “because of universal ability to detect these system elements.”

The leaked data included proof-of-concept (PoC) code for at least three Adobe Flash Player and one Microsoft Windows zero-day exploits. Advanced persistent threat (APT) actors and cybercriminals started abusing the Flash Player vulnerabilities in their operations before Adobe managed to release patches for them.

Hacking Team says it has isolated its internal systems to prevent additional data exfiltration.The company is now working on releasing an update to secure the Galileo version of its product.

In addition to this update, which will become available shortly, the spyware maker expects to release a completely new version of its Remote Control System, version 10, in the fall.

“This is a total replacement for the existing Galileo system, not simply an update,” explained Vincenzetti. “Of course, it will include new elements to protect systems and data considering the impact of the attack against Hacking Team.”

Hacking Team responds to accusations

Officially, Hacking Team sells its products only to law enforcement and intelligence agencies, and it selects customers to ensure that its surveillance solutions don’t end up in the wrong hands.

However, Hacking Team has often been accused by researchers and civil rights advocates of offering its spyware to countries that don’t have a good record on democracy and human rights, including Sudan, Morocco, Ethiopia, and the United Arab Emirates. Leaked emails, contracts, invoices and other documents seem to show that the company has dealt with oppressive governments.

Following the data breach, a Dutch member of the European Parliament has asked for the launch of an investigation into Hacking Team’s practices by both the European Commission and Italy.

In his statement, Vincenzetti said the export of his company’s software is controlled by the Italian government under the Wassenaar Arrangement.

“Our technology has always been sold lawfully, and, when circumstances have changed, we have ended relationships with clients such as Sudan, Ethiopia and Russia,” Vincenzetti said.

Experts analyze leaked Hacking Team tools

Several security firms have analyzed the leaked data to see how Hacking Team’s software works. Trend Micro reported finding a UEFI rootkit that the Italian company has used to ensure the persistence of its software on targeted systems.

By using the rootkit, Hacking Team customers could ensure that they can continue surveillance of the target even if the device’s hard drive was erased or replaced. Hacking Team documents show that the rootkit works on Insyde BIOS, which is very common on laptop computers. However, Trend Micro says the malware could work on AMI BIOS as well.

Furthermore, while leaked slideshows reveal that the rootkit can only be installed by having physical access to the targeted device, researchers believe it might also be possible for the malware to be deployed remotely.

Researchers at Lookout revealed last week that despite claims that Hacking Team’s software could only infect jailbroken iOS devices, the spyware could actually be installed on non-jailbroken phones as well. This was possible because Hacking Team possessed an Apple enterprise certificate that allowed developers to sign their creations. Apple has now revoked the said certificate.

Researchers at Bromium have conducted an in-depth analysis of Hacking Team’s Remote Control System. The solution, which is basically a fully-featured remote access Trojan (RAT), is capable of grabbing stored passwords from popular applications, recording instant messaging communications, logging keystrokes, harvesting session cookies for popular online services, capturing emails and contacts, recording sound via the computer’s microphone, taking photos via the webcam, grabbing clipboard data, logging mouse movements and clicks, and monitoring browser history.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Original Link