This week, IT security software firm Rook Security released a free tool that can sniff out malware leaked from Milan’s Hacking Team, a clandestine group that sells surveillance and malignant software to governments, law enforcement and other private clients worldwide.
Ironically, the Italian firm that helps governments spy on citizens itself fell victim to a cyberattack earlier this month that spilled 400GB’s worth of data into the wild.
The attackers, who may have been ex-employees, released torrent files that span internal documents, source code, and emails with detailed customer information. Rook created its Milano tool to specifically sniff out the Hacking Team’s exploits, and reign in threat that’s now out in the open.
Why Stockpiling Malware Is A Bad Idea
“This breach has been very unique in nature and challenging for security technology vendors to obtain code samples to create signatures and patches, thereby leaving scores of systems potentially vulnerable to nefarious actors seeking to weaponize Hacking Team’s once proprietary tools,” said J.J. Thompson, CEO of Rook, in a press statement.
Rook has been working with the Federal Bureau of Investigations, specifically its Cyber Task Force in Indianapolis, to zero in on the HackingTeam’s exploits.
The firm’s new tool, called “Milano,” digs into target systems, performing either a quick scan in a few seconds or a more comprehensive inspection taking up to an hour. The software hunts for “hashes” (files) connected to the Italian company’s security breach. It doesn’t appear to cover every single potential attack—so far, it spans hashes for 40 Windows executable and library files—but more could come through future updates.
More than Hacking Team’s own confidential information is at stake. Over the course of its work, the company unearthed security holes in technologies ranging from Adobe to Facebook, and many others. Both companies patched the holes to the affected Flash plugin and Oquery tool, respectively.
Hacking Team had discovered or had been working on a variety of exploits for everything from software to online services to drone-based Wi-Fi surveillance tools. It often took advantage of “zero-day” vulnerabilities, which are holes that the vendors don’t even know they have. When zero-day attacks go out, they often do damage before companies even know what hit them.
What You Can Do About It
The reach of the group’s stash of work could be extensive, affecting developers and other partners, as well as users on a global basis.
Rook said it moved swiftly to respond to the threat. “After our Intelligence Team quickly deduced how the leaked code could be weaponized and used for harm, we immediately put a team in place to identify, analyze, and detect malicious files located in this data,” said Thompson.
The Milano download is available for download on this page. More from Rook about the tool, including a technical overview, can be found here.
Lead photo courtesy of Shutterstock
Epilogue: One RW reader on Twitter couldn’t help but note that Rook’s solution may not be much better than the problem:
https://twitter.com/cliffsull/status/623573943245479936https://twitter.com/cliffsull/status/623574471501324288
There’s no hard evidence indicating that the feds could use Milano for their own purposes. However, given the surveillance era we live in, it wouldn’t be a huge stretch to believe that may be possible. IT managers and other system administrators would do well to consider all the potential risks.