The Hacking Team breach provides us with a rare front row seat to observe a data breach in detail. After reading this article, those unfamiliar with these dynamics will have a new appreciation for today's Cybersecurity threats and a greater understanding of security practitioners and their needs.
Hacking Team is an Italian company that sells intrusion and surveillance technologies to governments, law enforcement agencies, and companies. In July 2015, their network was breached, exposing their secrets and technologies for the world to see. To many, details seemed to support claims that the company operated without regard for the way its technologies were used in human rights violations. This was the original motivation for the attack, detailed on pastebin, though recently (2019) removed.
This disclosure offers unique insight into the brutal realities of today’s Cybersecurity dynamics. It exposes gaps in conventional thinking, specifically with respect to the extents to which protective techniques must be deployed. It teaches us that, of the extremes, working with extreme caution is far more appropriate than not.
In this article, we walk through each of the attack's significant events to show how easy it is for an attacker to exploit system weaknesses. We also show you how protective shortcomings compound one another, paving a direct path to sensitive data compromise.
There are hundreds if not thousands of ways to access a company’s network, though some of the more common approaches do not apply given Hacking Team’s expertise in security. As noted by the attacker:
"I didn't want to try to spear phish Hacking Team, as their whole business is helping governments spear phish their opponents, so they'd be much more likely to recognize and investigate a spear phishing attempt."
Botnets offer another set of opportunities, given their prevalence and the ease with which one can use Bitcoin to rent one to help carry out tasks. But again, according to the attacker’s account of the breach:
"Thanks to hardworking Russians and their exploit kits, traffic sellers, and bot herders, many companies already have compromised computers in their networks. Almost all of the Fortune 500, with their huge networks, have some bots already inside. However, Hacking Team is a very small company, and most of it's [sic] employees are infosec experts, so there was a low chance that they'd already been compromised."
They say that in a game of billiards, you only need to make one or two tough shots and only once in a great while a trick shot. The rest are pretty straightforward.
An option always on the table involves exploiting perimeter devices to gain entry to the internal network. This requires exploiting misconfigured systems, systems with known vulnerabilities, or finding new vulnerabilities that have not yet been reported to the device vendor (0days).
Google search plays a prominent role in helping attackers define the corporate perimeter. With a series of focused searches supported by the use of common network tools, it’s quite easy to draw a picture of the target's, “digital footprint”. In this case, the attacker found a very small attack surface, as would be expected – a couple routers, a mail server, a Joomla web server, a couple VPN devices, and a Spam appliance.
Gone In 360,000 Seconds
The attacker claims the entire process took 100 hours, which included an unusual set of steps not typically required. Because Hacking Team is in the business of building these tools, he had to be very careful about exposing himself (emphasis ours):
"The worst thing that could happen would be for my backdoor or post-exploitation tools to make the system unstable and cause an employee to investigate. So I spent a week testing my exploit, backdoor, and post-exploitation tools in the networks of other vulnerable companies before entering Hacking Team's network."
This includes the two weeks required to reverse engineer and test an exploit (seemingly) for a commercial appliance. That’s the trick shot.
Phishing attacks and botnets are most often easier to utilize than finding a new vulnerability in an existing system. This requires a great deal of expertise, and it speaks to the level of effort a single, motivated attacker will undertake to acquire his/ her bounty. This is not uncommon, though perhaps only a couple thousand people can do this worldwide.
On The Inside
Once the attacker gained operational access to the exploited system, he was able to view Hacking Team's internal network:
- Using nmap, an open source software network scanning utility built in the 90s, the attacker found two MongoDB NoSQL database instances that did not require passwords.
- The database exposed documentation about the internal network, which showed iSCSI network-attached storage devices on a network different from the one to which he had access. However, his nmap scan found them on the network he could observe, and they were also replete of username/password requirements.
- The backup drives exposed Virtual Machine backups of different servers. The attacker chose to investigate an email server.
- Using three open source password cracking tools, the attacker was able to search the offline backup image and find/crack a BlackBerry MDS Connection Server administrator password.
- The attacker then used these credentials to attempt a connection to a live server, with success. This offered up the opportunity to use more open source tools along with a commercial package to uncover the username and passwords for 19 Windows users.
This set of credentials included the Domain Administrator password.
Always use authentication when available. It may not stop an attack, but the added delay and required action increases chances of detection. Also, disable interactive login for service accounts. The Principle of Least Privilege applies in all situations.
Lateral Movement on Windows
At this point in the progression, the attacker paused to enumerate a number of methods for movement inside a Windows network. This requires code execution on host computers to which the attacker doesn’t (yet) have access. His account included over a dozen very specific tactics using over two dozen direct Internet references to instructions and/or technologies supporting these efforts. Only a few of the links refer to commercial software (which attackers usually steal anyway).
Another dozen references later and the attacker has given the reader more than sufficient information to enumerate all files on all hosts connected to an accessed network, methods for reading email and data from SharePoint servers, and ways to acquire Active Directory information with credentials and other data stored there. The amount of readily available information should give pause to any Executive considering Cybersecurity spending.
The guidance for Lateral Windows Movement includes over 40 individual references to open source software, documentation, and instructions for executing tasks associated with internal reconnaissance that is critical for an attacker's success.
As such, it’s fair to say that, once an attacker has access to your network, it’s very difficult to stop him or her. Though the attacker makes mention of anti-virus software and methods for avoiding detection, he does not address the realities of Intrusion Detection and Prevention systems or SIEM solutions. It would be easy for one to claim, “but my system would detect that” though in reality it’s not usually that simple, and the attackers almost always have the advantage. In reality, an attacker that recognizes such protections can always employ diversions to redirect attention while stealing their bounty, i.e. DDoS attacks or, “loud” intrusion attempts with automated scripts that distract attention away from the real threat. This dynamic plays out all around the world, constantly.
Sysadmins And Network Isolation
Internal documentation seemingly from the MongoDB Server, indicated that the Hacking Team’s RCS Technology source code was hosted on a different network. The attacker’s account of how to go after this information is worth reading (emphasis ours):
"The sysadmins of a company always have access to everything, so I searched the computers of Mauro Romeo and Christian Pozzi to see how they administer the Sviluppo network, and to see if there were any other interesting systems I should investigate. It was simple to access their computers, since they were part of the windows domain where I'd already gotten admin access."
As we shall see, it is quite easy to tail a sysadmin which, in this case, can lead an attacker directly to his/her prize.
Encryption: Used Alone, The Faux Panacea For Data Protection
The ultimate discovery was the existence of a TrueCrypt volume, widely regarded as the most secure disk encryption technology available. However, Encryption without Access Control is meaningless, and it is trivial to recover its contents, as we see here (emphasis ours):
Mauro Romeo's computer didn't have any ports open, so I opened the port for WMI  and executed meterpreter . In addition to keylogging and screen scraping with Get-Keystrokes and Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1 , and searched for interesting files. Upon seeing that Pozzi had a Truecrypt volume, I waited until he'd mounted it and then copied off the files.
The last sentence in this section is critical. Though TrueCrypt provides world-class data protection, it doesn't protect the data from exposure to an attacker lying in wait. Though two-factor authentication can be used to help address this issue, it has to be applied in a very specific way that is not often seen. Our founder wrote about this in a Spiceworks column back in December 2014, and this dynamic is the single most significant motivating factor behind the formation of DefiniSec and development of her technologies. Stay tuned for our analysis specific to this breach.
One of the TrueCrypt files contained a set of passwords, which included access to a Nagios Server. This contains IT monitoring software which uses a web interface to provide individual server health information. As it turns out, that server was a gateway between the already compromised network and the target network holding the source code. Though the attacker only had a password to login to the website, he was able to find a publicly posted exploit for that specific technology and gain access to the Nagios Server – and thus in the same fashion as the initial breach, able to access the “internal” network.
This goes to our previous comment that adding passwords doesn't necessarily stop an attack, though it will slow things down. Any tool you can use that inhibits attacker progress creates opportunity for his or her actions to be exposed and detected.
What’s more, however, is that the attacker was able to utilize the Windows password for one of the users whose email contained references to cloud software source code repositories. When the attacker tried the login using the Windows password, it worked – the password was being re-used. He then tried it for elevated Administrator access to other Hacking Team servers, with success. At that point, the rest of the job was a simple matter of archiving/packing data and offloading it to a Command and Control (C&C) server for storage and retrieval.
Today's Cybersecurity landscape is ripe with opportunity for those with malicious intent to compromise networks and steal sensitive content. As we have seen, even the more prominent and capable practitioners are challenged to properly protect their investments at all times. Clearly it only takes a simple mistake or misconfiguration to trigger the events that lead to data exposure. Protections must take into account the idea that an attacker is always present and waiting.
Stepping back, it's worth recognizing that nobody will ever stop all of the attackers all of the time. Goals should be to minimize collateral damage and recover quickly, minimizing impact to operations. In essence, the real battle is to make sure that any shortcoming in protective capacity has minimal fallout. Proper data partitioning and effective procedures designed to insure protections remain intact can go a long way in reducing the impact of a security incident.
In follow-up work, we will review each of the significant events and offer techniques to help address these threats. We will also analyze the details of this breach specific to DefiniSec protection technologies - designed to defend organizations from these very dynamics.
Stay tuned for these articles, and while you're waiting, send us a note with your specific questions and concerns - maybe we can help you with your plans.
This article was published May 11th, 2016