Almost a year after Italian surveillance software maker Hacking Team had its internal emails and files leaked online, the hacker responsible for the breach published a full account of how he infiltrated the company’s network.
The document published Saturday by the hacker known online as Phineas Fisher is intended as a guide for other hacktivists, but also shines a light on how hard it is for any company to defend itself against a determined and skillful attacker.
The hacker linked to Spanish and English versions of his write-up from a parody Twitter account called @GammaGroupPR that he set up in 2014 to promote his breach of Gamma International, another surveillance software vendor. He used the same account to promote the Hacking Team attack in July 2015.
Based on Fisher’s new report, the Italian company did have some holes in its internal infrastructure, but also had some good security practices in place. For example, it didn’t have many devices exposed to the Internet and its development servers that hosted the source code for its software were on an isolated network segment.
According to the hacker, the company’s systems that were reachable from the Internet were: a customer support portal that required client certificates to access, a website based on the Joomla CMS that had no obvious vulnerabilities, a couple of routers, two VPN gateways and a spam filtering appliance.
“I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices,” the hacker said, referring to previously unknown — or zero-day — exploits. “A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.”
Any attack that requires a previously unknown vulnerability to pull off raises the bar for attackers. However, the fact that Fisher viewed the routers and VPN appliances as the easier targets highlights the poor state of embedded device security.
The hacker did not provide any other information about the vulnerability he exploited or the specific device he compromised because the flaw hasn’t been patched yet, so it’s supposedly still useful for other attacks. It’s worth pointing out, though, that routers, VPN gateways and anti-spam appliances are all devices that many companies are likely to have connected to the Internet.
In fact, the hacker claims that he tested the exploit, backdoored firmware and post-exploitation tools that he created for the embedded device against other companies before using them against Hacking Team. This was to make sure that they wouldn’t generate any errors or crashes that could alert the company’s employees when deployed.
The compromised device provided Fisher with a foothold inside Hacking Team’s internal network and a place from where to scan for other vulnerable or poorly configured systems. It wasn’t long before he found some.
First he found some unauthenticated MongoDB databases that contained audio files from test installations of Hacking Team’s surveillance software called RCS. Then he found two Synology network attached storage (NAS) devices that were being used to store backups and required no authentication over the Internet Small Computer Systems Interface (iSCSI).
This allowed him to remotely mount their file systems and access virtual machine backups stored on them, including one for a Microsoft Exchange email server. The Windows registry hives in another backup provided him with a local administrator password for a BlackBerry Enterprise Server.
Using the password on the live server allowed the hacker to extract additional credentials, including the one for the Windows domain admin. The lateral movement through the network continued using tools like PowerShell, Metasploit’s Meterpreter and many other utilities that are open-source or are included in Windows.
He targeted the computers used by systems administrators and stole their passwords, opening up access to other parts of the network, including the one that hosted the source code for RCS.
Aside from the initial exploit and backdoored firmware, it seems that Fisher didn’t use any other programs that would qualify as malware. Most of them were tools intended for system administration whose presence on computers wouldn’t necessarily trigger security alerts.
“That’s the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company,” the hacker said at the end of his write-up. “Hacking gives the underdog a chance to fight and win.”
Fisher targeted Hacking Team because the company’s software was reportedly used by some governments with track records of human rights abuses, but his conclusion should serve as a warning to all companies that might draw the ire of hacktivists or whose intellectual property could pose an interest to cyberspies.