U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Intelligence

HackingTeam, new revelations on the surveillance network

Kaspersky Lab and Citizen Lab have released the results of their analysis on the global C2 infrastructure used by the Italian firm HackingTeam. Security experts from Kaspersky Lab and Citizen Lab at the Munk School of Global Affairs at the University of Toronto have released the results of their analysis on the  global command and control […]

HackingTeam, new revelations on the surveillance network

Kaspersky Lab and Citizen Lab have released the results of their analysis on the global C2 infrastructure used by the Italian firm HackingTeam.

Security experts from Kaspersky Lab and Citizen Lab at the Munk School of Global Affairs at the University of Toronto have released the results of their analysis on the  global command and control infrastructure used by the Italian firm HackingTeam to manage its spyware instances all over the world.

Many times security experts accused HackingTeam to provide its spyware to authoritarian regimes and law enforcement for the purpose of surveillance.

According the researchers that presented their findings during an event in London, the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is composed by 326 servers distributed in more than 40 countries. The majority of the C&C servers were hosted in the United States, Kazakhstan, Ecuador and UK.

HackingTeam C2 servers RCS 2

Count of C2s Country name
64 UNITED STATES
49 KAZAKHSTAN
35 ECUADOR
32 UNITED KINGDOM
24 CANADA
15 CHINA
12 COLOMBIA
7 POLAND
7 NEW ZEALAND
6 PERU
6 INDONESIA
6 BRAZIL
6 BOLIVIA
6 ARGENTINA
5 RUSSIAN FEDERATION
5 INDIA
4 HONG KONG
4 AUSTRALIA
3 SPAIN
2 SAUDI ARABIA
2 MALAYSIA
2 ITALY
2 GERMANY
2 FRANCE
2 EGYPT
1 UKRAINE
1 THAILAND
1 SWEDEN
1 SINGAPORE
1 ROMANIA
1 PARAGUAY
1 MOROCCO
1 LITHUANIA
1 KENYA
1 JAPAN
1 IRELAND
1 HUNGARY
1 DENMARK
1 CZECH REPUBLIC
1 CYPRUS
1 Other
1 BELGIUM
1 AZERBAIJAN

“The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Within the the products under analysis by experts, there is Galileo RCS, a solution capable of monitor communications and data transmission even if over a secure channel. The experts for the first time detailed the control network for the spyware used on victims’ mobile, malicious code used are custom built for each target and loaded onto a device.

It was a well-known fact for quite some time that the HackingTeam products included malware for mobile phones. However, these were rarely seen,” “In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story.” reported Kaspersky Lab experts on the Securelist blog.

The RCS mobile components for every device, including Apple iOS, Android OS, Windows mobile and BlackBerry, allow customers of the HackingTeam company to monitor victims, spy on conversations through principal VOIP and instant messaging applications (e.g. WhatsApp, Skype), steal data from their devices and use them as spy bugs enabling the microphone.

“The RCS mobile modules are meticulously designed to operate in a discreet manner, for instance by paying close attention to the mobile device’s battery life,” “This is implemented through carefully customized spying capabilities, or special triggers: for example, an audio recording may start only when a victim is connected to a particular Wi-Fi network (for example, the network of a media house), or when he/she changes the SIM card, or while device is charging.” Kaspersky Lab said.

The Android spyware was characterized by the presence of a sophisticated obfuscator dubbed DexGuard that made hard the analysis of the malicious code.

The malware developer at HackingTeam also used zero-days for their exploits that served with classic spear phishing scheme and also through local infections via USB cables while synchronizing mobile devices.

The findings proposed by the experts are very important because demonstrate the high level of sophistication of the spyware designed by the HackingTeam and the scale of the surveillance operated through its tools. 

These tools in the wrong hands are a dangerous weapon.

Pierluigi Paganini

(Security Affairs –  HackingTeam,  Galileo RCS)