Hacking Team exploits hit Asian TV network with old RAT
- 30 July, 2015 09:08
Days after the Hacking Team’s hack leaked several Flash zero-day flaws, the same flaws were used in attacks on several media and news organisations in Hong Kong and Taiwan.
According to Trend Micro researchers, the campaign against the unnamed organisations kicked off on July 9, just four days after Italian surveillance-ware vendor Hacking Team revealed it was breached and 400GB of its data spilled on to the web. Among the files included three zero-day flaws in Flash Player that forced Adobe to rush out patches for.
Two of those flaws (CVE-2015-5119 and CVE-2015-5122) became key ingredients to a two waves of attacks against the websites of a TV network, educational organisations, a religious institute, and a political party in Taiwan. A popular news site in Hong Kong was also hit. Trend doesn’t name the organisations as the investigation is ongoing, but said the selection of sites suggests it was targeting government employees.
“The affected educational organizations, for instance, are used to deliver employment exams for government employees. The Taiwanese television network involved has been producing and importing TV shows and movies for a decade,” said Joseph Chen, a Fraud Researcher with Trend Micro.
Adobe had only released the patches for the flaws on July 7, meaning that had visitors to the site not updated Flash on their systems they would have been infected with the attacker’s payload, one of which is an ageing but popular remote access tool (RAT) known as PoisonIvy.
According to Chen, the attacks occurred over two distinct waves with the first using an exploit for CVE-2015-5119 beginning on 9 July while the second, beginning on July 14, used an attack for CVE-2015-5122. All of the compromises sites except the Taiwan political party site served up PoisonIvy via a malicious Flash file.
While the political party site served up a different trojan, embedded in an image, Trend reckons it’s part of the same campaign because it sends collected information to the same server as other compromised sites.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
