Hacker: This is how I broke into Hacking Team

Breach of surveillance vendor highlights lessons for companies

Almost a year after Italian surveillance software maker Hacking Team had its internal emails and files leaked online, the hacker responsible for the breach published a full account of how he infiltrated the company's network.

The document published Saturday by the hacker known online as Phineas Fisher is intended as a guide for other hacktivists, but also shines a light on how hard it is for any company to defend itself against a determined and skillful attacker.

The hacker linked to Spanish and English versions of his write-up from a parody Twitter account called @GammaGroupPR that he set up in 2014 to promote his breach of Gamma International, another surveillance software vendor. He used the same account to promote the Hacking Team attack in July 2015.

Based on Fisher's new report, the Italian company did have some holes in its internal infrastructure, but also had some good security practices in place. For example, it didn't have many devices exposed to the Internet and its development servers that hosted the source code for its software were on an isolated network segment.

According to the hacker, the company's systems that were reachable from the Internet were: a customer support portal that required client certificates to access, a website based on the Joomla CMS that had no obvious vulnerabilities, a couple of routers, two VPN gateways and a spam filtering appliance.

"I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices," the hacker said, referring to previously unknown -- or zero-day -- exploits. "A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit."

Any attack that requires a previously unknown vulnerability to pull off raises the bar for attackers. However, the fact that Fisher viewed the routers and VPN appliances as the easier targets highlights the poor state of embedded device security.

The hacker did not provide any other information about the vulnerability he exploited or the specific device he compromised because the flaw hasn't been patched yet, so it's supposedly still useful for other attacks. It's worth pointing out, though, that routers, VPN gateways and anti-spam appliances are all devices that many companies are likely to have connected to the Internet.

In fact, the hacker claims that he tested the exploit, backdoored firmware and post-exploitation tools that he created for the embedded device against other companies before using them against Hacking Team. This was to make sure that they wouldn't generate any errors or crashes that could alert the company's employees when deployed.

The compromised device provided Fisher with a foothold inside Hacking Team's internal network and a place from where to scan for other vulnerable or poorly configured systems. It wasn't long before he found some.

First he found some unauthenticated MongoDB databases that contained audio files from test installations of Hacking Team's surveillance software called RCS. Then he found two Synology network attached storage (NAS) devices that were being used to store backups and required no authentication over the Internet Small Computer Systems Interface (iSCSI).

This allowed him to remotely mount their file systems and access virtual machine backups stored on them, including one for a Microsoft Exchange email server. The Windows registry hives in another backup provided him with a local administrator password for a BlackBerry Enterprise Server.

Using the password on the live server allowed the hacker to extract additional credentials, including the one for the Windows domain admin. The lateral movement through the network continued using tools like PowerShell, Metasploit's Meterpreter and many other utilities that are open-source or are included in Windows.

He targeted the computers used by systems administrators and stole their passwords, opening up access to other parts of the network, including the one that hosted the source code for RCS.

Aside from the initial exploit and backdoored firmware, it seems that Fisher didn't use any other programs that would qualify as malware. Most of them were tools intended for system administration whose presence on computers wouldn't necessarily trigger security alerts.

"That's the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company," the hacker said at the end of his write-up. "Hacking gives the underdog a chance to fight and win."

Fisher targeted Hacking Team because the company's software was reportedly used by some governments with track records of human rights abuses, but his conclusion should serve as a warning to all companies that might draw the ire of hacktivists or whose intellectual property could pose an interest to cyberspies.

Join the CSO newsletter!

Error: Please check your email address.

Tags hacking

More about BlackBerryCMSMicrosoftNASSynologyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place