Critical Flash exploit emerges from Hacking Team breach
Feel safe with your fully-patched computer? If you use Flash and land on the wrong website, you may get a virus or even a cryptolocker that renders your machine unusable. That's because a sophisticated "zero-day" exploit stolen from Hacking Team has now been released into the wild. As a reminder, Hacking Team is the infamous outfit that supplies US law enforcement and various governments around the world with digital spying tools. However, the company suffered an embarrassing attack on its own servers, and among the 400GB of data stolen were some nasty tools originally intended for use by agencies like the US Drug Enforcement Agency.
TRANSLATION: Worst-case scenario is now in play - HT Flash 0day with NO patch is now being used to deliver Cryptolockers via exploit kits
— InfoSec Taylor (@SwiftOnSecurity) July 8, 2015
Security experts say attackers have now unleashed those tools on the internet, leaving all computers vulnerable until Adobe patches Flash, which it's expected to do tomorrow. Malwarebytes called it "one of the fastest documented cases of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by the Hacking Team." So what can you do about it? Obviously, be careful about which sites you visit, but you may also want to either enable "click-to-play" for the Flash plug-in or disable it completely, as detailed by How-To Geek.
Meanwhile, there are questions about how this shitstorm happened in the first place. As Forbes pointed out, leaked emails show that the FBI and DEA were keen on Hacking Team's software, which can run $500,000 for a full cross-platform setup. Other emails revealed that Hacking Team sold its wares to oppressive regimes in countries like Sudan.
TRANSLATION: This means you can get a Cryptolocker/virus just by browsing the web with a fully-patched machine RIGHT NOW. Take action above.
— InfoSec Taylor (@SwiftOnSecurity) July 8, 2015
Critics argue that increased cyber-spying by governments begets ultra-sophisticated hacking tools that can fall into the wrong hands. That in turn makes everyone more vulnerable, as today's attack proves (again). Ironically, FBI director James Comey is also trying to convince lawmakers today that it should be trusted with backdoor access to encrypted cellphones. However, given the competence and questionable ethics of the companies it works with, it's hard to see how that's a good idea.