Hacker: This is how I broke into Hacking Team

Breach of surveillance vendor highlights lessons for companies

Almost a year after Italian surveillance software maker Hacking Team had its internal emails and files leaked online, the hacker responsible for the breach published a full account of how he infiltrated the company's network.

The document published Saturday by the hacker known online as Phineas Fisher is intended as a guide for other hacktivists, but also shines a light on how hard it is for any company to defend itself against a determined and skillful attacker.

The hacker linked to Spanish and English versions of his write-up from a parody Twitter account called @GammaGroupPR that he set up in 2014 to promote his breach of Gamma International, another surveillance software vendor. He used the same account to promote the Hacking Team attack in July 2015.

Based on Fisher's new report, the Italian company did have some holes in its internal infrastructure, but also had some good security practices in place. For example, it didn't have many devices exposed to the Internet and its development servers that hosted the source code for its software were on an isolated network segment.

According to the hacker, the company's systems that were reachable from the Internet were: a customer support portal that required client certificates to access, a website based on the Joomla CMS that had no obvious vulnerabilities, a couple of routers, two VPN gateways and a spam filtering appliance.

"I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices," the hacker said, referring to previously unknown -- or zero-day -- exploits. "A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit."

Any attack that requires a previously unknown vulnerability to pull off raises the bar for attackers. However, the fact that Fisher viewed the routers and VPN appliances as the easier targets highlights the poor state of embedded device security.

The hacker did not provide any other information about the vulnerability he exploited or the specific device he compromised because the flaw hasn't been patched yet, so it's supposedly still useful for other attacks. It's worth pointing out, though, that routers, VPN gateways and anti-spam appliances are all devices that many companies are likely to have connected to the Internet.

In fact, the hacker claims that he tested the exploit, backdoored firmware and post-exploitation tools that he created for the embedded device against other companies before using them against Hacking Team. This was to make sure that they wouldn't generate any errors or crashes that could alert the company's employees when deployed.

The compromised device provided Fisher with a foothold inside Hacking Team's internal network and a place from where to scan for other vulnerable or poorly configured systems. It wasn't long before he found some.

First he found some unauthenticated MongoDB databases that contained audio files from test installations of Hacking Team's surveillance software called RCS. Then he found two Synology network attached storage (NAS) devices that were being used to store backups and required no authentication over the Internet Small Computer Systems Interface (iSCSI).

This allowed him to remotely mount their file systems and access virtual machine backups stored on them, including one for a Microsoft Exchange email server. The Windows registry hives in another backup provided him with a local administrator password for a BlackBerry Enterprise Server.

Using the password on the live server allowed the hacker to extract additional credentials, including the one for the Windows domain admin. The lateral movement through the network continued using tools like PowerShell, Metasploit's Meterpreter and many other utilities that are open-source or are included in Windows.

He targeted the computers used by systems administrators and stole their passwords, opening up access to other parts of the network, including the one that hosted the source code for RCS.

Aside from the initial exploit and backdoored firmware, it seems that Fisher didn't use any other programs that would qualify as malware. Most of them were tools intended for system administration whose presence on computers wouldn't necessarily trigger security alerts.

"That's the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company," the hacker said at the end of his write-up. "Hacking gives the underdog a chance to fight and win."

Fisher targeted Hacking Team because the company's software was reportedly used by some governments with track records of human rights abuses, but his conclusion should serve as a warning to all companies that might draw the ire of hacktivists or whose intellectual property could pose an interest to cyberspies.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hacking

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?