Zero-day exploits are a hacker's best friend. They attack vulnerabilities in software that are unknown to the software maker and are therefore unpatched. Criminal hackers and intelligence agencies use zero day exploits to open a stealth door into your system, and because antivirus companies also don't know about them, the exploits can remain undetected for years before they're discovered. Until now, they've usually been uncovered only by chance. But researchers at Kaspersky Lab have, for the first time, discovered a valuable zero-day exploit after intentionally going on the hunt for it. And they did so by using only the faintest of clues to find it. The malware they found is a remote-code execution exploit that attacks a vulnerability in Microsoft's widely used Silverlight software—a browser plug-in Netflix and other providers use to deliver streaming content to users. It's also used in SCADA and other industrial control systems that are installed in critical infrastructure and industrial facilities. The vulnerability, which Microsoft called "critical" in a patch released to customers on Tuesday, would allow an attacker to infect your system after getting you to visit a malicious website where the exploit resides—usually through a phishing email that tricks you into clicking on a malicious link. The attack works with all of the top browsers except Chrome—but only because Google removed support for the Silverlight plug-in in its Chrome browser in 2014. Kaspersky Lab caught its big fish, the Silverlight exploit, in late November after the zero-day infected a customer's machine. But it took a clever lure and months of patient waiting to get that prize. The story behind that discovery provides an intriguing lesson in how researchers might uncover more zero days hidden in the wild. Hacking Team's Hacked Emails Offered the First Clue It all began with a conversation that was never meant to be public. In July 2015, a hacker known only as "Phineas Fisher" targeted the Italian surveillance firm Hacking Team and stole some 400 GB of the company's data, including internal emails, which he dumped online. The hack exposed the company's business practices, but it also revealed the business of zero-day sellers who were trying to market their exploits to Hacking Team. The controversial surveillance firm, which sells its software to law enforcement and intelligence agencies around the world—including to oppressive regimes like Sudan, Bahrain, and Saudi Arabia—uses zero-day exploits to help sneak its surveillance tools onto targeted systems. Costin Raiu, head of Kaspersky's Global Research and Analysis Team, became intrigued by one negotiation in particular that occurred in 2013 between Hacking Team and a zero-day seller who identified himself as a 33-year-old Russian named Vitaliy Toropov. In a series of emails dumped online and highlighted in an Ars Technica story about the hacked data, the researcher negotiated the successful sale of a $45, 000 Flash exploit to Hacking Team. After completing negotiations on that exploit, Toropov, like all good businessmen, tried to interest Hacking Team in more of his goods, which he was willing to sell at a discount for bulk buys—a $5, 000 discount if Hacking Team purchased a second zero day from him, and a $10, 000 discount if they purchased a third. Among his offerings: "I recommend you the fresh 0day for iOS 7/OS X Safari, " he wrote, "or my old Silverlight exploit which was written 2. 5 years ago and has all chances to survive further in next years as well. " Raiu wasn't sure how to look for the zero-day exploit since he didn't have code to examine and didn't even know what vulnerability in Silverlight it targeted. Although the iOS exploit was interesting, Raiu was much more intrigued by the Silverlight exploit that Toropov said had remained undetected since 2011. It wasn't an idle boast from an inexperienced newcomer. Toropov is a prolific bug hunter and exploit writer who until 2013 was an active participant in bug bounty programs —programs that pay bug hunters money for information about vulnerabilities they find, which is then passed to the software makers so they can patch the holes. Between 2011 and 2013, Toropov disclosed more than 40 vulnerabilities to these programs, according to a spreadsheet he has published online and a page for his discoveries on the Packet Storm security site. But in October 2013, his public disclosure of bugs dried up after he disclosed two vulnerabilities in Silverlight to Microsoft. That same month is when he began secretly marketing his wares to Hacking Team—including, apparently, one Silverlight exploit he'd kept from Microsoft in order to sell it to customers who would use it to hack systems. If the exploit had already been sold to other customers and was infecting systems in the wild for two and a half years, Raiu wondered if he might be able to find it. There was just one problem. Toropov provided no details about the exploit that might help him track it down. Usually zero days are found by accident when someone discovers they've been hacked, and a forensic examination of their system uncovers zero-day malware. Once these exploits are discovered, antivirus companies look for tell-tale fingerprints in the code that can help them locate the malware on other systems; then they write signatures their scanners use to search customer systems. But in this case, Raiu wasn't sure how to look for the zero-day exploit since he didn't have code to examine and didn't even know what vulnerability in Silverlight it targeted. But after looking at Toropov's public list of previous bug discoveries, he got an idea. He started examining the proof-of-concept exploit Toropov had written for the bugs he'd already discovered to see if he might find any particular programming techniques or patterns in the way he wrote code that could be used as a signature to find exploits of his that might be in the wild. Researchers provide proof-of-concept exploits to bug bounty programs to verify in a benign way that the vulnerabilities they've found are real and can be exploited. Usually the proof-of-concept code simply launches the calculator application on a machine to provide visual proof that the exploit worked. Raiu's instinct about looking at the published files was right. He examined in particular some proof-of-concept code Toropov had published for one of the Silverlight vulnerabilities Microsoft had patched in 2013. Among the files for this exploit was one that contained debugging code. Debugging code is used by developers to look for errors in their program as they're writing it. There were three particular strings of debugging code that caught Raiu's eye that appeared in multiple files Toropov wrote. "With exploit developers they have [code] libraries they build and they keep reusing them from one exploit to another in order to simplify their work, " Raiu notes. "I said, what if his other Silverlight exploits are similar to this proof-of concept one he wrote in 2013? " Programmers usually take debugging code out of the final versions of their programs, but sometimes they leave it in the source code and it gets compiled into the binary, even though it's not code that gets used by the exploit to perform its functions. Raiu was hoping that was the case. He used a tool called YARA to see if he could find traces of the strings on Kaspersky customer systems. YARA was designed in 2007 by Victor Manuel Alvarez, a Spanish security researcher who works at VirusTotal, a free online virus scanner that Google now owns. Using the tool, researchers can create a so-called YARA rule to search for malicious files and uncover patterns in them in order to group similar files into families of malware. YARA rules can also be used to scan networks and systems for the same patterns of code. That's how Raiu decided to use it. He'd tried to use YARA rules once before in this way, but had failed to find what he was seeking. One of Kaspersky's customers had been attacked by two exploits, which came in through an infected Adobe file. One of the exploits allowed the attackers to escape from the Adobe Reader sandbox—a protective layer some vendors put in their software to prevent exploits from jumping out of an application and infecting the core system. Raiu and his colleagues never found the exploits, but were able to figure out how they worked and notified vendors to get the vulnerable holes patched. Despite that previous failure, Raiu thought it was worth trying a YARA rule again with Toropov's exploit. In July, shortly after reading the emails Toropov exchanged with Hacking Team, Raiu created a YARA rule based on the debugging code he'd found and then distributed it to the company's automatic exploit prevention tool and the Kaspersky Security Network, composed of customers who have opted to share with Kaspersky malicious samples found on their systems. Then he waited. Debugging strings in the YARA rule Kaspersky used to find the Silverlight exploit. Image courtesy of Kaspersky Lab Debugging strings in the YARA rule Kaspersky used to find the Silverlight exploit. Image courtesy of Kaspersky Lab Months passed and there was no sign of an infection for any customers. Raiu eventually forgot about his little experiment. Then on November 25th an infection suddenly popped up on a customer's machine in the Middle East. Customers in the company's KSN network agree to allow malicious code found on their machines to be sent to Kaspersky for analysis. Notably, a few hours later, someone uploaded a sample of the same exploit to the Virus Total web site, but from a different geographic region. Virus total is a site that aggregates multiple virus scanners so people can upload suspicious files to it and determine if they're malicious. The file was uploaded from an IP address in Laos. It had been compiled on July 21, just a couple of weeks after Toropov's emails with Hacking Team discussing his Silverlight exploit had been exposed online. It didn't take long, once Raiu and his team got their hands on their customer's malicious code, to determine that it was indeed a Silverlight zero day exploit. "These particular debug strings were the only thing we could hang onto from his [earlier] Silverlight exploits, " he says. Odds were against his gamble working; but it did. Since then, Kaspersky hasn't uncovered any other samples on customer machines, which suggests whoever was using the exploit was using it judiciously to target only specific victims. The fact that two victims in different parts of the world were apparently hit on the same day suggests the attacker was conducting a campaign on that day targeting various victims at the same time. Raiu estimates the exploit was worth between $20, 000 and $40, 000 on the zero-day market. WIRED reached out to Toropov about the exploit to ask if he had written it, and passed him the technical description that Kaspersky had written about the vulnerability it targets—a BinaryReader bug in the Silverlight software. He said he wasn't familiar with the vulnerability. "I didn't [know] about this particular BinaryReader bug, " he wrote in a message to WIRED. He asked if the exploit included code from any of his previous exploits, and when told that it did, he asked to see it. WIRED sent him the code after Microsoft had already distributed its patch for the vulnerability. "I would like to have this 0day, but unfortunately it's not mine, " he said after examining it. "Anyway it was interesting to find the parts of my calc poc in this shellcode, thanks for sharing. " His term "calc poc" refers to the calculator proof-of-concept code he had published in 2013 for the previous Silverlight vulnerability Microsoft had patched back then. Toropov didn't say why proof-of-concept code he wrote was showing up in an exploit he says he didn't write, but he said he wasn't surprised to see it in the exploit Kaspersky found. Asked if he ever ended up selling Hacking Team the Silverlight exploit he offered them in his 2013 email, he said no. Raiu says it doesn't make sense that someone else would have put Toropov's public proof-of-concept code in their exploit, but it's not out of the question. He saw it happen in at least one other case when someone used parts of the proof-of-concept code Toropov wrote for the 2013 Silverlight vulnerability he had disclosed to Microsoft, and used that as a building block to create an exploit. Whether or not the exploit was written by Toropov, Raiu considers his hunt for it to be a big success, since there's one less zero-day vulnerability available for attackers to exploit. "This is actually the first time that we are succeeding in catching something that we planned on hunting, " Raiu says. "It was probably a bit of intuition and luck. If the compiler would have removed these [debugging] strings, then obviously [there would have been] no luck for me. " But now that the technique has proven successful, it may be possible to examine code from other Toropov exploits to uncover additional zero days that may be using it. And if there are similar tell-tale signs in the public code of other researchers, this may be used to uncover more zero-day exploits as well.
What is Hacker101? Hacker101 is a collection of videos, resources, and hands-on activities that will teach you everything you need to operate as a bug bounty hunter. The material is available to learn for free from HackerOne. Led by HackerOne’s Cody Brocious, the Hacker101 material is ideal for beginners through to intermediate hackers and located at. Feel free to share and join the conversation on Twitter with hashtag #hacker101. Capture The Flag The Hacker101 CTF is composed of a series of levels, where you can learn to hack in a simulated real-world environment. In each level you're searching for a number of flags -- unique bits of data -- which you get by discovering and exploiting vulnerabilities. As you progress, you'll receive invitations to private programs on HackerOne, jump-starting your bounty hunting career. Meet your Instructor Cody Brocious is a security researcher and educator with over 15 years of experience. While best known for his work finding several vulnerabilities in locks used by the majority of U. S. hotels, Cody has worked on security for countless companies and products and has directed that expertise into Hacker101 where you really can learn how to hack for free. FAQ - Hacker101 - Learn How to Hack What will I learn? How to identify, exploit, and remediate the top web security vulnerabilities, as well as many other arcane bugs How to properly handle cryptography How to design and review applications from a security standpoint How to operate as a bug bounty hunter Is it free? Yes, it’s completely free of charge. Will there be new content added? We release new video lessons and CTF levels twice a month! Got an idea for content? Let us know. I have a question on the course content.
Posted by Ian Beer, Project Zero Project Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere. Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day. There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week. TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years. I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple's software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users. Working with TAG, we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286). We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12. 1. 4 on 7 Feb 2019. We also shared the complete details with Apple, which were disclosed publicly on 7 Feb 2019. Now, after several months of careful analysis of almost every byte of every one of the exploit chains, I’m ready to share these insights into the real-world workings of a campaign exploiting iPhones en masse. This post will include: detailed write-ups of all five privilege escalation exploit chains; a teardown of the implant used, including a demo of the implant running on my own devices, talking to a reverse-engineered command and control server and demonstrating the capabilities of the implant to steal private data like iMessages, photos and GPS location in real-time, and analysis by fellow team member Samuel Groß on the browser exploits used as initial entry points. Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen. Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them. I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time. I recommend that these posts are read in the following order:.
Abstract 3d geometrical background. Mosaic. Vector illustration. Getty Images Bank robber Willie Sutton's famous line about why he robs banks—"because that's where the money is"—was particularly apt this week after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were spilled to the public, along with about 400 gigabytes of company emails and other data. Hacking Team has long been a source of controversy because the company sells surveillance tools to law enforcement and intelligence agencies around the world—among them repressive regimes that use the tools to spy on human rights activists and political dissidents. But the hack this week highlights another serious issue around Hacking Team and companies like it that stockpile or store zero-day exploits, including software vendors who run bug bounty programs: they can be rich targets for hackers who might want to steal the zero-days to use them for nefarious purposes or sell them. This places an added onus on companies to protect their repositories to prevent the zero-days from getting into the hands of unintended parties. "Hackers have been hacking each other to steal zero-days for as long as there has been hacking, " says Katie Moussouris, chief policy officer for HackerOne, a company that helps other companies manage their zero-day bug bounty programs. "Why wouldn't you go after people who do vulnerability research and companies that have databases of their own unpatched vulnerabilities that they're working on? These are all potential repositories of zero-days that people will want to get. " Zero-day exploits are malicious code designed to target security holes in software that the software maker generally doesn't know about yet or hasn't patched yet. This makes the exploits gold to cybercriminals, intelligence agencies, and other hackers who want to sell them or use them to attack vulnerable systems. Zero-day exploits are gold to cybercriminals, intelligence agencies, and other hackers. Zero-days, if purchased, can cost anywhere from $5, 000 to more than $500, 000, depending on what they target and their level of sophistication. One of the leaked emails from Hacking Team discussed the company paying the security firm Netragard $105, 000 to buy one "flawless" remote-code exploit. If someone can get a whole cache of zero-days by surreptitiously stealing them instead, it would be very valuable. Hacking Team and other entities like it that store zero-day exploits—including the US government and US defense contractors and security firms who sell to the government—put the public at risk as long as the zero-days are kept secret from vendors, and vulnerable systems remain unpatched and open to attack. One would hope at the very least, then, that these zero-days would be stored in highly secured networks, to prevent criminal hackers and others from getting them. But Hacking Team's security was by all accounts abysmal, making it easy for the hacker who breached it to get its exploits. Hacking Team, ironically, published a blog post on Wednesday claiming that the hacker had put everyone at risk by leaking the company's exploits and the source code for its surveillance tools. "It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6, " the company wrote in the post. "HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice…. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation. " The company also said that "[b]efore the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. " The claim, however, is undermined by the poor security the company maintained over its network, software and exploits. If the hackers put everyone at risk, they were only able to do so because Hacking Team did so first. There have been three exploits discovered so far by researchers among the cache of Hacking Team documents leaked by the hacker on Sunday. Two of them were zero-days. One of them targets a security hole in Adobe's Flash Player program, the other targets a kernel vulnerability in the Windows operating system. In an internal document, Hacking Team described one of the security holes as "the most beautiful Flash bug for the last four years. " The vulnerability affects all versions of the Flash Player since version 9, including the latest version 18. If one hacker could breach Hacking Team's network and get its exploits, others could have, too. Adobe has since released a patch for its zero-day hole, but Microsoft is still working on a patch for the Windows kernel vulnerability. In the meantime, the exploits have already been added to at least three exploit kits being sold to hackers in the underground— Angler EK, Neutrino, and Nuclear Pack. Exploits kits are packages that help automate hacking for attackers. The hacker who breached Hacking Team and dumped its data online appears to have been motivated by a sense of justice—to expose the company's hypocritical sales to repressive regimes—and probably didn't have an interest in using the exploits to attack other targets. But if one hacker could breach Hacking Team's network and get its exploits, others could have, too. Hacking Team's collection of zero days was small, since the company didn't generally rely on this method to get its surveillance tools onto targeted systems. Many of the systems targeted by Hacking Team's government clients were not up-to-date on patches, which meant that they could be attacked using non-zero-day exploits that were already in the public domain. But there are other companies that possess dozens if not hundreds of zero-days, and the situation would be much worse if they were hacked. "I'm not convinced that zero-days are so scarce that if the bad guy wants them the best way to do that is to steal them. I think there are many bad guys who will just buy them using money they stole, " says Chris Soghoian, chief technologist for the American Civil Liberties Union and a harsh critic of firms that stockpile and sell zero days. "But a company that has a hundred zero-days, if that exists, is going to be a pretty juicy target. Ultimately you're also talking about nation-states who might want to break in and steal them. " Why wouldn't you go after people who do vulnerability research and companies that have databases of their own unpatched vulnerabilities that they're working on? Katie Moussouris In 2010, hackers, believed to be from China, broke into Google and a number of other top tech companies seeking the source code for their software. Source code is valuable because it allows attackers to study the software and uncover zero-day flaws in it. But that's a lot of work. If hackers could simply siphon zero-days from a repository instead, it would save them the time and trouble of poring over source code to find vulnerabilities. Three years ago, there were rumblings that another firm—a company that has many more zero-days than Hacking Team has—was also breached: the French company Vupen Security. Its entire business revolves around the sale of zero-day vulnerabilities and exploits to government customers. In 2012, rumors began circulating that Vupen had been hacked and that 130 of its zero-days had been leaked. The news would have been huge if it had been true. But it was never substantiated, and Vupen CEO Chaouki Bekrar denied that his company had been breached. Soghoian says that the issue raises interesting questions about liability if a company that fails to secure its zero-day repository were hacked. "Are they liable for any harm caused by zero days stolen from them? I can image if Vupen were hacked and their zero-days were stolen and misused by others, you might find some lawyer who would say that's an interesting case. " In the end, the public can do little but hope that other companies that possess zero-days are storing them more securely than Hacking Team did.
Hacking can be tedious work. Sometimes you’ve been looking for hours, perhaps days, and you’re unable to find a security vulnerability. It can be demotivating at times. This blog will give you multiple tips to power through it and regain that sweet, sweet feeling of submitting a security vulnerability. This feeling isn't great Something that I’ve seen is important, is knowing what you’re looking for. A lot of hackers often just “go look for something”. The lack of focus here, especially with new hackers, doesn’t help you find vulnerabilities. It often results in moving on too quickly, not knowing what to look for exactly, or the feeling that you’ve looked at everything already. So, whenever you’re stuck, ask yourself this question first: “What am I looking for? ” Make sure you have a clear goal. For example, the answer the this question should never be “I am looking for a security vulnerability. ” Instead, it could be “For the next two hours, I am looking for an Insecure Direct Object Reference (IDOR) vulnerability. ” This has multiple benefits: You’re setting a hard deadline for yourself You know what to test for You know which resources to look for to learn more about the vulnerability You can ask very specific questions to peers You discover new attack surface each time you change your goal for the same asset You’ll be able to prioritize what to look at based on what you’re looking for When you come across something interesting during hacking, make a note of it and come back to it later if it doesn’t help you reach your goal. Whenever you set a goal, make sure it is SMART. Take your mind off of it There are different kinds of “being stuck. ” There will be times where you’re trying to exploit something and there just doesn’t seem to be a way. People have different things that gets their mind off of hacking, but here’s a list of five things you can try ( thanks everyone that helped put this list together! ): Workout / go outside Grab some food Play a (video) game Nap / sleep Make music Explore and learn As a hacker it is important to know what you know, but it is even more important to know what you don’t know. Hackers are always learning. Bug bounty programs and vulnerability disclosure programs are often a black box, which is why you need some structure to get through it. Black boxes often make you feel that there’s nothing left to look at when you try to do multiple things at the same time. When you structure your work, you’ll be able to plan what you want to explore and learn. When you’ve never found an XML External Entity (XXE) vulnerability, like myself, you could set that as your goal. This will help you: figure out what you need to know before you can go look for it in the wild search the HackerOne Hacktivity to read about other people their XXE vulnerabilities learn about it and exploit it on Hacker101 pinpoint a feature or asset you’ve looked at in the past that you could target An interesting exercise that I like to do, is to try to “guess” how the backend is implemented by implementing it myself. Simply write the code that mimics the behavior that you see. This has helped me multiple times to figure out an exploit. In the case it didn’t help me exploit something, it helped me gain insight into the defenses. Make notes and reminders I make a lot of notes when I’m hacking. Behavior that I think is interesting, newly discovered attack surface, vulnerabilities I’m stuck on, and low severity vulnerabilities that aren’t worth reporting by themselves (but can perhaps be leveraged in a chain! ). When I’m stuck I often find myself going through these notes to help me come up with another strategy to attack something. I have simple sections and keywords in these notes to quickly go through them: Taking notes with “I’m new to BBP and I don’t feel confident that I can find something in public programs” You’re not alone. This is something a lot of hackers struggle with. If you haven’t found a lot of security vulnerabilities yet, it might pay off to start with Capture The Flags (CTFs) instead. Exploiting something for the first time is hard and eye-opening — let alone doing this in production environments. My suggestion would be to apply the same structure you would apply when looking in real targets, this will help you build a solid foundation and will help you become an amazing hacker. Keep going! At the end of the day, being stuck is just another part of becoming a hacker. I’d encourage you to figure out what helps you to eventually solve the problem or being OK with moving on to another problem. All hackers have been stuck and will continue to be so occasionally. Happy hacking! Jobert HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.