Security Experts:

Hacker Details How He Infiltrated Hacking Team

A hacker using the handle "Phineas Fisher" has described how he hacked into surveillance software maker Hacking Team. Hacking Team is an Italian firm that hacks to order, primarily for law enforcement agencies and intelligence agencies. Last summer, Phineas Fisher (now going by the alias Hack Back!) on Twitter broke into Hacking Team and stole and published thousands of internal documents, some source code and several 0-day exploits.

Hack Back's methodology should be required reading for all CISOs. Detailed in a post on Pastebin, the attacker depicts the dedication, craft and patience that a dedicated cyber criminal brings to hacking - and some of his comments deserve serious consideration.

Politically he could be described as a hacktivist or vigilante. He uses the hashtag 'antisec' against his logo. The exact nature of antisec is open to conjecture. An 'antisec' that grew out of LulzSec and Anonymous was behind the hack of Stratfor at the end of 2011. But 'antisec' is also used to describe a movement that is literally anti the security industry.

Hack Back seems to have political activism as an important if not primary motive. In his account he comments, "Vincenzetti, the CEO [of Hacking Team], liked to end his emails with the fascist slogan 'boia chi molla'. Later he comments, "I see Vincenzetti, his company, his cronies in the police, Carabinieri, and government, as part of a long tradition of Italian fascism." Throughout the document he describes his disdain for society's 'status quo', with one-time members of the hacking counterculture now just wearing tee-shirts, dying their hair blue and feeling like rebels "while they work for the Man."

This hacker starts his explanation by saying he immediately rejected any attempt to spear-phish Hacking Team. Although it is currently the most successful hacking method, he felt that people who use the same techniques themselves would quite likely recognize the attempt and be put on guard.

He also noted that a ready-made entry was unavailable - and this is worth thinking about. "Thanks to hardworking Russians and their exploit kits, traffic sellers, and bot herders, many companies already have compromised computers in their networks. Almost all of the Fortune 500, with their huge networks, have some bots already inside."

But that didn't apply to Hacking Team, which is just a small company. He looked for a direct hacking route. Needless to say his target was well locked down, and he found no easy way in. "I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices." He chose an embedded device and spent two weeks reverse engineering it until he found a remote 0day root exploit (which, he notes, remains a 0day exploit today).

This is also worth noting: if a professional hacker looks long and hard enough, he will almost certainly find and develop a new 0day.

But he didn't rush in and use his new entry point - he prepared methodically. "I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device. The backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities."

All of this had to be stable. If his presence caused a ripple that could be noticed on the inside, it would all be for nothing. Eventually he broke in; but did nothing but a slow reconnaissance of the Hacking Team network. Eventually he found what he was looking for: "Their insecure backups were the vulnerability that opened their doors. According to their documentation, their iSCSI devices were supposed to be on a separate network, but nmap found a few in their subnetwork"

Ultimately, with access to the backups, "I used my proxy and metasploit's psexec_psh to get a meterpreter session. Then I migrated to a 64 bit process, ran "load kiwi", "creds_wdigest", and got a bunch of passwords, including the Domain Admin..." And one administrator, he lolled, with the password, 'P4ssword'. And the rest, although still not easy, is history.

In reality, this document is far more than a description of taking down the Hacking Team - it is an introduction to serious hacking. That is what makes it important for CSOs to read. Hack Back goes into great detail over the methods and tools he used - and on the principle of "know your enemy," it is a salutary commentary on just how proficient that enemy is likely to be.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.