Categories: Security

Security Firm Finds Zero-Day Flaw By Turning Users Into Honeypots

When emails leaked from surveillance tools vendor Hacking Team hinted at a critical vulnerability in Microsoft’s Silverlight multimedia player, researchers at security firm Kaspersky Lab wondered if they would be able to find a way to catch an attacker exploiting the flaw.

Turns out they could.

On Jan. 12, Microsoft patched a critical vulnerability in its Silverlight player that Kaspersky was able to pinpoint after it caught an attacker using an exploit. The attack code is thought to be the same exploit that a 30-something Russian bug finder, Vitaliy Toropov, attempted to sell to Hacking Team, as revealed by leaked emails.

Multiple vulnerabilities

“He had sold multiple vulnerabilities to Hacking Team in the past,” Brian Bartholomew, a senior security researcher at Kaspersky Lab, told eWEEK. “We thought it likely that if Hacking Team didn’t buy it, he may have sold it to someone else.”

The fact that Kaspersky could detect the attack is impressive, since the company knew very little about the exploit. By taking two pieces of information—the name of the exploit developer and his focus on a Silverlight vulnerability—Kaspersky researchers found an older Silverlight exploit created by the same developer, reverse-engineered the older attack and used unique strings in the code to developed rules that would likely match a future attack.

“After implementing the detection, we waited, hoping that an APT [advanced persistent threat] group would use it,” the Kaspersky researchers stated in an online writeup of their experiment. “Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it?”

To detect the attack, Kaspersky uploaded its pattern rule to the antivirus software used by millions of customers, essentially turning its user base into a giant neighborhood watch program. When an attack happened, the software blocked the exploit and delivered details of the attack to Kaspersky.

“The software protects them from the attack, but at the same time, there is some valuable intelligence and information on the attack itself, so we do pull back very limited metadata from the attacks,” Bartholomew said.

Security firm Qualys had rated the Silverlight vulnerability as a less-interesting part of Microsoft’s regular Patch Tuesday update, but following Kaspersky’s report on the bug and evidence that the attack is being used in the wild, the company raised its rating of the vulnerability.

The big question for Kaspersky is whether Toropov wrote and sold the exploit.

“Several things make us think it’s one of his exploits, such as the custom error strings,” the company’s researchers stated in their online analysis. “Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though—the world is a bit safer with the discovery and patching of this one.”

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

UK Government Partners Anthropic AI To Improve Public Services

Anthropic confirms Memorandum of Understanding (MOU) signed with UK government to explore use of AI…

2 days ago

ARM Shares Rise Amid Report Meta Will Purchase Its First Chip

British chip designer ARM Holdings is reportedly developing its own chip, and Meta is one…

2 days ago

TikTok Returns To Apple, Google Stores In US

TikTok returns to app stores of both Apple and Google in the United States, after…

2 days ago

Meta To Show Marketplace Ads From Rival Ad Providers

After huge fine, Meta launches 'Facebook Marketplace Partner Program' so rival service providers can list…

3 days ago

Improved Indoor Connectivity Could Add Billions To UK Economy – Survey

New research from Freshwave finds a better mobile signal indoors could grow the UK economy…

3 days ago

Musk Says He Will Withdraw OpenAI Bid If It Remains Non-Profit

Elon Musk says he will abandon $97.4 billion offer to buy the non-profit behind OpenAI…

3 days ago