Phineas Fisher: This is how I broke into Hacking Team
Breach of surveillance vendor highlights lessons for companies.
Almost a year after Italian surveillance software maker Hacking Team had its internal emails and files leaked online, Phineas Fisher the hacker responsible for the breach gave a full account of how he infiltrated the company network.
Although intended mainly as a guide for hacktivists, it also shines a light on how hard it is for any company to defend itself against a truly determined and skillful attacker.
Fisher says although the Italian company did have some holes in its internal infrastructure, it also had some pretty good security practices in place. For example, it did not have many devices exposed to the Internet and its development servers that hosted the source code for its software were on an isolated network segment.
According to Fisher, the company systems that were reachable from the Internet were: a customer support portal that required client certificates to access, a website based on the Joomla CMS that had no obvious vulnerabilities, a couple of routers, two VPN gateways and a spam filtering appliance.
There were 3 options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices.
A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
Any attack that requires a previously unknown vulnerability to pull off raises the bar for attackers. However, the fact that Fisher viewed the routers and VPN appliances as the easier targets highlights the poor state of embedded device security.
Fisher did not provide any other information about the vulnerability he exploited or the specific device he compromised because the flaw has not been patched yet, so its supposedly still useful for other attacks. Its worth pointing out though that routers, VPN gateways and anti-spam appliances are all devices that many companies are likely to have connected to the Internet.
Fisher also says he tested the exploit, backdoored firmware and post-exploitation tools that he created for the embedded device against other companies before using them against Hacking Team. This was to make sure that they would not generate any errors or crashes that could alert the companies employees when deployed.
The compromised device provided him with a foothold inside Hacking Teams internal network and a place from where to scan for other vulnerable or poorly configured systems. It was not long before he found some.
First he found some unauthenticated MongoDB databases that contained audio files from test installations of Hacking Teams surveillance software called RCS. Then he found two Synology network attached storage (NAS) devices that were being used to store backups and required no authentication over the Internet Small Computer Systems Interface (iSCSI).
This allowed him to remotely mount their file systems and access virtual machine backups stored on them, including one for a Microsoft Exchange email server. The Windows registry hives in another backup provided him with a local administrator password for a BlackBerry Enterprise Server.
Using the password on the live server allowed the hacker to extract additional credentials, including the one for the Windows domain admin. The lateral movement through the network continued using tools like PowerShell, Metasploits Meterpreter and many other utilities that are open-source or are included in Windows.
He targeted the computers used by systems administrators and stole their passwords, opening up access to other parts of the network, including the one that hosted the source code for RCS.
Aside from the initial exploit and backdoored firmware, it seems that Fisher did not use any other programs that would qualify as malware. Most of them were tools intended for system administration whose presence on computers would not necessarily trigger security alerts.
Thats the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. he said at the end of his write-up. Hacking gives the underdog a chance to fight and win.
Fisher targeted Hacking Team because the companies software was reportedly used by some governments with track records of human rights abuses, but his conclusions should serve as a warning to all companys that might draw the ire of hacktivists, or whose intellectual property could pose an interest to cyberspies.