Categories: Security

Security Firm Finds Zero-Day Flaw By Turning Users Into Honeypots

When emails leaked from surveillance tools vendor Hacking Team hinted at a critical vulnerability in Microsoft’s Silverlight multimedia player, researchers at security firm Kaspersky Lab wondered if they would be able to find a way to catch an attacker exploiting the flaw.

Turns out they could.

On Jan. 12, Microsoft patched a critical vulnerability in its Silverlight player that Kaspersky was able to pinpoint after it caught an attacker using an exploit. The attack code is thought to be the same exploit that a 30-something Russian bug finder, Vitaliy Toropov, attempted to sell to Hacking Team, as revealed by leaked emails.

Multiple vulnerabilities

“He had sold multiple vulnerabilities to Hacking Team in the past,” Brian Bartholomew, a senior security researcher at Kaspersky Lab, told eWEEK. “We thought it likely that if Hacking Team didn’t buy it, he may have sold it to someone else.”

The fact that Kaspersky could detect the attack is impressive, since the company knew very little about the exploit. By taking two pieces of information—the name of the exploit developer and his focus on a Silverlight vulnerability—Kaspersky researchers found an older Silverlight exploit created by the same developer, reverse-engineered the older attack and used unique strings in the code to developed rules that would likely match a future attack.

“After implementing the detection, we waited, hoping that an APT [advanced persistent threat] group would use it,” the Kaspersky researchers stated in an online writeup of their experiment. “Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it?”

To detect the attack, Kaspersky uploaded its pattern rule to the antivirus software used by millions of customers, essentially turning its user base into a giant neighborhood watch program. When an attack happened, the software blocked the exploit and delivered details of the attack to Kaspersky.

“The software protects them from the attack, but at the same time, there is some valuable intelligence and information on the attack itself, so we do pull back very limited metadata from the attacks,” Bartholomew said.

Security firm Qualys had rated the Silverlight vulnerability as a less-interesting part of Microsoft’s regular Patch Tuesday update, but following Kaspersky’s report on the bug and evidence that the attack is being used in the wild, the company raised its rating of the vulnerability.

The big question for Kaspersky is whether Toropov wrote and sold the exploit.

“Several things make us think it’s one of his exploits, such as the custom error strings,” the company’s researchers stated in their online analysis. “Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though—the world is a bit safer with the discovery and patching of this one.”

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

BNP Paribas Joins JP Morgan Blockchain Trading Network

French bank BNP Paribas becomes first European bank to join JP Morgan's blockchain-based Onyx Digital…

13 hours ago

SEC Held Off Elon Musk Enforcement ‘Due To Court Fears’

US securities regulators may have refrained from enforcement actions against Elon Musk due to discouraging…

14 hours ago

Snap Earnings Warning Triggers Tech Sell-Off

Investors spooked after Snap warns of deteriorating economic conditions, says earnings now 'below the low…

16 hours ago

Russian Operator Discounts Smartphones As Sanctions Bite

Biggest Russian mobile operator MTS begins selling discounted and second-hand smartphones as Russians hit by…

16 hours ago

Clearview AI Fined £7.5m Over Facial Recognition Data

UK Information Commissioner's Office orders controversial facial recognition firm Clearview AI to delete data it…

17 hours ago

Airbnb To Pull Out Of China Amidst ‘Pandemic Challenges’

Airbnb to pull out of China as ongoing zero-Covid policy places severe restrictions on domestic…

18 hours ago