Hacker: This is how I broke into Hacking Team

Breach of surveillance vendor highlights lessons for companies

Almost a year after Italian surveillance software maker Hacking Team had its internal emails and files leaked online, the hacker responsible for the breach published a full account of how he infiltrated the company's network.

The document published Saturday by the hacker known online as Phineas Fisher is intended as a guide for other hacktivists, but also shines a light on how hard it is for any company to defend itself against a determined and skillful attacker.

The hacker linked to Spanish and English versions of his write-up from a parody Twitter account called @GammaGroupPR that he set up in 2014 to promote his breach of Gamma International, another surveillance software vendor. He used the same account to promote the Hacking Team attack in July 2015.

Based on Fisher's new report, the Italian company did have some holes in its internal infrastructure, but also had some good security practices in place. For example, it didn't have many devices exposed to the Internet and its development servers that hosted the source code for its software were on an isolated network segment.

According to the hacker, the company's systems that were reachable from the Internet were: a customer support portal that required client certificates to access, a website based on the Joomla CMS that had no obvious vulnerabilities, a couple of routers, two VPN gateways and a spam filtering appliance.

"I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices," the hacker said, referring to previously unknown -- or zero-day -- exploits. "A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit."

Any attack that requires a previously unknown vulnerability to pull off raises the bar for attackers. However, the fact that Fisher viewed the routers and VPN appliances as the easier targets highlights the poor state of embedded device security.

The hacker did not provide any other information about the vulnerability he exploited or the specific device he compromised because the flaw hasn't been patched yet, so it's supposedly still useful for other attacks. It's worth pointing out, though, that routers, VPN gateways and anti-spam appliances are all devices that many companies are likely to have connected to the Internet.

In fact, the hacker claims that he tested the exploit, backdoored firmware and post-exploitation tools that he created for the embedded device against other companies before using them against Hacking Team. This was to make sure that they wouldn't generate any errors or crashes that could alert the company's employees when deployed.

The compromised device provided Fisher with a foothold inside Hacking Team's internal network and a place from where to scan for other vulnerable or poorly configured systems. It wasn't long before he found some.

First he found some unauthenticated MongoDB databases that contained audio files from test installations of Hacking Team's surveillance software called RCS. Then he found two Synology network attached storage (NAS) devices that were being used to store backups and required no authentication over the Internet Small Computer Systems Interface (iSCSI).

This allowed him to remotely mount their file systems and access virtual machine backups stored on them, including one for a Microsoft Exchange email server. The Windows registry hives in another backup provided him with a local administrator password for a BlackBerry Enterprise Server.

Using the password on the live server allowed the hacker to extract additional credentials, including the one for the Windows domain admin. The lateral movement through the network continued using tools like PowerShell, Metasploit's Meterpreter and many other utilities that are open-source or are included in Windows.

He targeted the computers used by systems administrators and stole their passwords, opening up access to other parts of the network, including the one that hosted the source code for RCS.

Aside from the initial exploit and backdoored firmware, it seems that Fisher didn't use any other programs that would qualify as malware. Most of them were tools intended for system administration whose presence on computers wouldn't necessarily trigger security alerts.

"That's the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company," the hacker said at the end of his write-up. "Hacking gives the underdog a chance to fight and win."

Fisher targeted Hacking Team because the company's software was reportedly used by some governments with track records of human rights abuses, but his conclusion should serve as a warning to all companies that might draw the ire of hacktivists or whose intellectual property could pose an interest to cyberspies.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags hacking

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?