Hacking Team Data Breach Proves Micro-virtualization as Most Effective Method Against 0day Exploits


When Milan-based spyware maker Hacking Team was hacked last year in July, hackers exposed 400GB worth of confidential company data and made them available to the public. The company was known for selling surveillance technology described as “offensive intrusion,” or tools used to lawfully intercept communications. Some methods involve monitoring internet user communications through deciphering encrypted e-mails  and files, record Skype and other Voice over IP communications, and remotely activate computer microphones and cameras. They often sell their services to governments and law enforcement agencies. This has also caused scrutiny as they have been accused of selling their services to repressive governments such Sudan, Bahrain, and Saudi Arabia, who could hire Hacking Team’s services to monitor political dissidents or activists.

Some of the data breach emails confirmed that Hacking Team sold at least three 0day exploits to governments, two for Flash Player and one for the Windows kernel. 0day is a type of vulnerability used to identify a hole in an application that is unknown to the company. It is known as a “zero-day” because once the flaw becomes known, the threat is already too severe and the application author has “zero days” in which to plan and advise any mitigation against its exploitation. Hacking Team buys zero-day exploits in order to install its spyware, known as RCS, on targeted systems.

The breach gave the security tech industry more transparency on the 0day exploits market, and the best strategies to defend against these types of attacks. Some of the price structures offered 0day  exploits ranging from $45k to $1mn. Cybersecurity firm Bromium suggests that micro-virtualization would be the best approach against 0day exploits. Micro-virtualization works to abstract applications (and their corresponding sub-processes) away from the hardware they run on, so that those applications can then be run in isolated environments and user tasks can be separated from another. That way, when exploit attacks such as malware occurs, attacks can be detected within the operating system’s rootkits and bootkits and establish a malware kill-chain just before the malware can make any attempt on the operating system.

Automating Obfuscated String Decoding with FireEye

In order to thwart detection and analysis, malware authors often obfusticate their strings, or technique that is used to make binary and textual data unreadable and difficult to understand using malicious URLs, registry keys or even sophisticated software called packers. Its implementation can be as simple as a few bit manipulations and advanced as cryptographic standards (i.e. DES, AES, etc). Sometimes the malware are advanced to a point where they obfuscates the entire file with a special program called a packer. Since decoding manually takes a large amount of time and malware reverse engineers often script in Python, FireEye introduced flare-dbg, or debugging tool written in Python to help aid malware reverse engineers in rapidly developing debugger scripts.

Reducing HTTP Request Times with Preconnect

Initiating an HTTP request when accessing a website through a browser takes a quick (and sometimes very delayed) process. The browser has to resolve the DNS name, make TCP connections, and go through a TLS tunnel if they require a security socket. Modern browsers like Chrome aim to optimize network connections through “preconnects” so that the browser can anticipate what sockets to use ahead of time before having to reduce latency and bypass the time-consuming and costly processes of DNS, TCP, and TLS roundtrips. When a user browses a URL, preconnects can determine which sockets will be needed ahead of initiating the actual requests. Thus,it can speculatively pre-resolve the hostnames (DNS prefetching), as well as open the connections (TCP preconnect) ahead of time, saving the user hundreds to thousands of seconds in latency times.

ProxyBack Malware Turns Infected PCs Into Internet Proxies Without Consent

Palo Alto Networks discovered a new type of malware – known as ProxyBack Malware – designed to turn unsuspecting user’s infected computer systems into internet proxies. They and observed over 20 versions that have been used to infect systems as far back as March 2014. ProxyBack bypasses software and hardware firewalls by creating a reverse tunnel on a compromised system, which allows requests to pass through undetected, and the proxy server sends its malware traffic through the tunnel and out to the Internet, affecting the unsuspected  user. The majority of the malware traffic appeared to source from an automated system creating fake accounts and soliciting people on sites such as Match.com, OKcupid, eBay, Craigslist, and Facebook.

Brocade and Emulex Partner for 5G End-to-End

Back in 2014, both Emulex and Brocade announced a partnership to develop a new generation of advanced Gen 6 (32Gb) Fibre Channel networking solutions. Now, they have announced an end-to-end proven data center infrastructure based on the latest Gen 5 Fibre Channel network. Using Emulex Gen 5 FC adapters and Brocade Gen 5 FC switches, they are optimized for virtualized environments, providing easier allocation and management of storage resources associated with virtualized applications.

Scroll to Top